Multiple Cisco Products Snort 3 Denial of Service Vulnerabilities

Monitor5.8cisco-sa-snort3-multi-dos-XFWkWSwzMar 4, 2026

CiscoEnergyManufacturing

IT in OT - Cisco networking products are commonly deployed in OT environments

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple Cisco Snort 3 Detection Engine vulnerabilities allow an unauthenticated remote attacker to send malicious traffic that causes the Snort engine to restart, interrupting packet inspection and threat detection. The vulnerabilities affect UTD SNORT IPS Engine Software, Firepower Series (1000, 2100, 3000, 4100, 9000), Secure Firewall Series (1200, 3100, 4200), ASA 5500-X, Secure Firewall Threat Defense Virtual, and Cyber Vision appliances across all versions. While no active exploitation has been reported, Cisco has released software updates to address these issues. No workarounds are available.

What this means

What could happen

An attacker can send specially crafted network traffic to restart the Snort intrusion detection engine, which disables packet inspection until the service recovers. This creates a window where malicious traffic may pass through undetected.

Who's at risk

Organizations running Cisco Firepower, ASA, Secure Firewall, or Snort-based security appliances in energy and manufacturing sectors. This includes industrial security appliances (ISA), threat defense systems, and intrusion prevention deployments protecting critical infrastructure networks.

How it could be exploited

An attacker with network access to any Snort-protected interface sends a malformed packet or specific payload that triggers a crash in the Snort 3 Detection Engine. The engine restarts, temporarily stopping all threat detection on affected traffic flows.

Prerequisites

Network connectivity to the firewall or appliance from the internet or a compromised internal network
No credentials or special configuration required

remotely exploitableno authentication requiredlow complexityaffects threat detection systemscauses denial of service to packet inspection

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (12)

12 with fix

ProductAffected VersionsFix Status

UTD SNORT IPS Engine SoftwareAll versionsFix available

Firepower 1000 SeriesAll versionsFix available

3000 Series Industrial Security Appliances (ISA)All versionsFix available

Firepower 9000 SeriesAll versionsFix available

Firepower 4100 SeriesAll versionsFix available

Secure Firewall Threat Defense VirtualAll versionsFix available

Secure Firewall 3100 SeriesAll versionsFix available

Secure Firewall 4200 SeriesAll versionsFix available

Remediation & Mitigation

0/2

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade to the latest Cisco software release that addresses the Snort 3 vulnerability for your firewall or appliance model

HOTFIXPlan and execute firmware updates during a scheduled maintenance window to minimize operational disruption

CVEs (5)

CVE-2026-20005 CVE-2026-20065 CVE-2026-20066 CVE-2026-20067 CVE-2026-20068

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a9797b56-75ee-401e-b100-c1981a02fd65

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.