Cyber Resilience

CVE-2026-20014

High

Published: 04 March 2026

Published
04 March 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
EPSS Score 0.0020 42.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20014 is a high-severity Missing Release of Memory after Effective Lifetime (CWE-401) vulnerability in Cisco Adaptive Security Appliance Software. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 42.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-20014 is a vulnerability in the IKEv2 feature of Cisco Secure Firewall ASA Software and Cisco Secure FTD Software. The issue arises from improper processing of IKEv2 packets, enabling an authenticated remote attacker with valid VPN user credentials to trigger a denial-of-service (DoS) condition. Exploitation can exhaust memory on the affected device, leading to a reload that may also disrupt service availability for other devices in the network. It carries a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H) and maps to CWE-401 (Memory Leak).

An authenticated remote attacker possessing valid VPN user credentials can exploit the vulnerability by sending crafted IKEv2 packets to the targeted device. No user interaction is required, and the low complexity (AC:L) combined with network accessibility (AV:N) and scope change (S:C) make it feasible for users with existing access. Successful attacks result in memory exhaustion, device reload, and potential broader network service disruptions without impacting confidentiality or integrity.

The Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ikev2-dos-eBueGdEG details affected versions, exploitation conditions, and recommended mitigations or patches to address the vulnerability.

EU & UK References

Vulnerability details

A vulnerability in the IKEv2 feature of Cisco Secure Firewall ASA Software and Cisco Secure FTD Software could allow an authenticated, remote attacker with valid VPN user credentials to cause a DoS condition on an affected device that may also…

more

impact the availability of services to devices elsewhere in the network. This vulnerability is due to the improper processing of IKEv2 packets. An attacker could exploit this vulnerability by sending crafted, authenticated IKEv2 packets to an affected device. A successful exploit could allow the attacker to exhaust memory, causing the device to reload.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Direct memory exhaustion DoS via crafted IKEv2 packets matches Application or System Exploitation sub-technique.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-20105Same product: Cisco Adaptive Security Appliance Software
CVE-2026-20049Same product: Cisco Adaptive Security Appliance Software
CVE-2026-20101Same product: Cisco Adaptive Security Appliance Software
CVE-2026-20103Same product: Cisco Adaptive Security Appliance Software
CVE-2026-20039Same product: Cisco Adaptive Security Appliance Software
CVE-2026-20100Same product: Cisco Adaptive Security Appliance Software
CVE-2025-20115Same vendor: Cisco
CVE-2025-20175Same vendor: Cisco
CVE-2025-20171Same vendor: Cisco
CVE-2025-20343Same vendor: Cisco

Affected Assets

cisco
adaptive security appliance software
9.12.1 — 9.16.4.85 · 9.17.1 — 9.18.4.66 · 9.19.1 — 9.20.4
cisco
firepower threat defense software
6.4.0 — 7.0.9 · 7.1.0 — 7.2.11 · 7.3.0 — 7.4.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly mitigates the IKEv2 memory leak vulnerability by applying vendor-specific patches to prevent memory exhaustion from crafted packets.

prevent

Denial-of-service protection implements mechanisms to detect and block resource exhaustion attacks like the crafted IKEv2 packet floods targeting memory.

prevent

Resource availability protects critical system resources such as memory from unauthorized depletion caused by authenticated attackers sending malformed IKEv2 packets.

References