CVE-2026-20039
Published: 04 March 2026
Summary
CVE-2026-20039 is a high-severity Heap Inspection (CWE-244) vulnerability in Cisco Adaptive Security Appliance Software. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely remediation through vendor patches addressing the ineffective memory management in the VPN web server.
Implements denial-of-service protections to limit or block the impact of large numbers of crafted HTTP requests targeting the VPN web server.
Ensures resource availability by protecting system memory and processing from exhaustion caused by the memory management flaw exploited via HTTP floods.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote attacker exploits public-facing VPN web server with crafted HTTP requests, causing device reload and DoS via application exploitation.
NVD Description
A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an…
more
affected device. This vulnerability is due to ineffective memory management of the VPN web server. An attacker could exploit this vulnerability by sending a large number of crafted HTTP requests to an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.
Deeper analysisAI
CVE-2026-20039 is a vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software. It stems from ineffective memory management, which could allow an unauthenticated, remote attacker to trigger a denial-of-service (DoS) condition. The issue has a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) and is associated with CWE-244 (Improper Clearing of Heap Memory Before Release).
An unauthenticated, remote attacker can exploit this vulnerability by sending a large number of crafted HTTP requests to an affected device. Successful exploitation would cause the device to reload, resulting in a DoS condition that disrupts network traffic processing until the device recovers.
The Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-vpn-dos-SpOFF2Re provides details on affected software versions, workarounds, and available patches for mitigation. Security practitioners should review the advisory for fixed releases and apply updates promptly to exposed VPN interfaces.
Details
- CWE(s)