Cyber Resilience

CVE-2026-20039

High

Published: 04 March 2026

Published
04 March 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS Score 0.0036 27.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-20039 is a high-severity Heap Inspection (CWE-244) vulnerability in Cisco Adaptive Security Appliance Software. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-20039 is a vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software. It stems from ineffective memory management, which could allow an unauthenticated, remote attacker to trigger a denial-of-service (DoS) condition. The issue has a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) and is associated with CWE-244 (Improper Clearing of Heap Memory Before Release).

An unauthenticated, remote attacker can exploit this vulnerability by sending a large number of crafted HTTP requests to an affected device. Successful exploitation would cause the device to reload, resulting in a DoS condition that disrupts network traffic processing until the device recovers.

The Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-vpn-dos-SpOFF2Re provides details on affected software versions, workarounds, and available patches for mitigation. Security practitioners should review the advisory for fixed releases and apply updates promptly to exposed VPN interfaces.

EU & UK References

Vulnerability details

A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an…

more

affected device. This vulnerability is due to ineffective memory management of the VPN web server. An attacker could exploit this vulnerability by sending a large number of crafted HTTP requests to an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Unauthenticated remote attacker exploits public-facing VPN web server with crafted HTTP requests, causing device reload and DoS via application exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-20103Same product: Cisco Adaptive Security Appliance Software
CVE-2026-20014Same product: Cisco Adaptive Security Appliance Software
CVE-2026-20049Same product: Cisco Adaptive Security Appliance Software
CVE-2026-20101Same product: Cisco Adaptive Security Appliance Software
CVE-2026-20105Same product: Cisco Adaptive Security Appliance Software
CVE-2026-20100Same product: Cisco Adaptive Security Appliance Software
CVE-2026-20082Same product: Cisco Adaptive Security Appliance Software
CVE-2025-20333Same product: Cisco Adaptive Security Appliance Software
CVE-2025-20362Same product: Cisco Adaptive Security Appliance Software
CVE-2025-20142Same vendor: Cisco

Affected Assets

cisco
adaptive security appliance software
9.12.1 — 9.16.4.84 · 9.17.1 — 9.18.4.57 · 9.19.1 — 9.20.3.16
cisco
firepower threat defense software
6.4.0 — 7.0.9 · 7.1.0 — 7.2.10 · 7.3.0 — 7.4.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely remediation through vendor patches addressing the ineffective memory management in the VPN web server.

prevent

Implements denial-of-service protections to limit or block the impact of large numbers of crafted HTTP requests targeting the VPN web server.

prevent

Ensures resource availability by protecting system memory and processing from exhaustion caused by the memory management flaw exploited via HTTP floods.

References