CVE-2026-20069

A vulnerability in the VPN web services component of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct browser-based attacks against users of an affected device. This vulnerability is due to improper validation of HTTP requests. An attacker could exploit this vulnerability by persuading a user to visit a website that is designed to pass malicious HTTP requests to a device that is running Cisco Secure Firewall ASA Software or Cisco Secure FTD Software and has web services endpoints supporting VPN features enabled. A successful exploit could allow the attacker to reflect malicious input from the affected device to the browser that is in use and conduct browser-based attacks, including cross-site scripting (XSS) attacks. The attacker is not able to directly impact the affected device.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-desync-n5AVzEQw	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:cisco:firepower_threat_defense_software::::::::
	cpe:2.3:a:cisco:firepower_threat_defense_software::::::::
	cpe:2.3:a:cisco:firepower_threat_defense_software::::::::
	cpe:2.3:a:cisco:firepower_threat_defense_software::::::::
	cpe:2.3:a:cisco:firepower_threat_defense_software::::::::

Configuration 2 (hide)

OR	cpe:2.3:o:cisco:adaptive_security_appliance_software::::::::
	cpe:2.3:o:cisco:adaptive_security_appliance_software::::::::
	cpe:2.3:o:cisco:adaptive_security_appliance_software::::::::
	cpe:2.3:o:cisco:adaptive_security_appliance_software::::::::
	cpe:2.3:o:cisco:adaptive_security_appliance_software::::::::

History

02 Jun 2026, 15:08

Type	Values Removed	Values Added
References	~~() https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-desync-n5AVzEQw -~~	() https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-desync-n5AVzEQw - Vendor Advisory
First Time		Cisco firepower Threat Defense Software Cisco adaptive Security Appliance Software Cisco
CPE		cpe:2.3:a:cisco:firepower_threat_defense_software:::::::: cpe:2.3:o:cisco:adaptive_security_appliance_software::::::::
Summary		(es) Una vulnerabilidad en el componente de servicios web VPN de Cisco Secure Firewall Adaptive Security Appliance (ASA) Software y Cisco Secure Firewall Threat Defense (FTD) Software podría permitir a un atacante remoto no autenticado realizar ataques basados en el navegador contra los usuarios de un dispositivo afectado. Esta vulnerabilidad se debe a una validación incorrecta de las solicitudes HTTP. Un atacante podría explotar esta vulnerabilidad persuadiendo a un usuario para que visite un sitio web diseñado para pasar solicitudes HTTP maliciosas a un dispositivo que ejecuta Cisco Secure Firewall ASA Software o Cisco Secure FTD Software y tiene habilitados los puntos finales de servicios web que admiten funciones VPN. Un exploit exitoso podría permitir al atacante reflejar entradas maliciosas desde el dispositivo afectado al navegador en uso y realizar ataques basados en el navegador, incluyendo ataques de cross-site scripting (XSS). El atacante no puede impactar directamente el dispositivo afectado.

04 Mar 2026, 18:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-04 18:16

Updated : 2026-06-02 15:08

NVD link : CVE-2026-20069

Mitre link : CVE-2026-20069

CVE.ORG link : CVE-2026-20069

JSON object : View

Products Affected

cisco

firepower_threat_defense_software
adaptive_security_appliance_software

CWE

CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

4.3 /10