Cyber Resilience

CVE-2026-20062

High

Published: 04 March 2026

Published
04 March 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0001 0.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20062 is a high-severity Incorrect Execution-Assigned Permissions (CWE-279) vulnerability in Cisco Secure Firewall (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 0.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-20062 is a vulnerability in the command-line interface (CLI) of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software operating in multiple context mode. It stems from improper access controls for Secure Copy Protocol (SCP) operations when the CiscoSSH stack is enabled, potentially allowing unauthorized file access across contexts. This issue is classified under CWE-279 (Incorrect Default Permissions) with a CVSS v3.1 base score of 7.2 (AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N).

An authenticated, local attacker with administrative privileges in a non-administrative context could exploit this vulnerability by authenticating to that context and issuing crafted SCP copy commands. Successful exploitation enables the attacker to read, create, or overwrite sensitive files belonging to other contexts, including the admin and system contexts. However, the attacker cannot directly impact service availability in those contexts, cannot list or enumerate files from other contexts, and must know the exact file path, which adds complexity to the attack.

For mitigation details, refer to the Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-scpcxt-filecpy-rgeP73nE.

EU & UK References

Vulnerability details

A vulnerability in the CLI of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software in multiple context mode could allow an authenticated, local attacker with administrative privileges in one context to copy files to or from another context, including configuration…

more

files. This vulnerability is due to improper access controls for Secure Copy Protocol (SCP) operations when the CiscoSSH stack is enabled. An attacker could exploit this vulnerability by authenticating to a non-admin context of the device and issuing crafted SCP copy commands in that non-admin context. A successful exploit could allow the attacker to read, create, or overwrite sensitive files that belong to another context, including the admin and system contexts. The attacker cannot directly impact the availability of services pertaining to other contexts. To exploit this vulnerability, the attacker must have valid administrative credentials for a non-admin context. Note: An attacker cannot list or enumerate files from another context and would need to know the exact file path, which increases the complexity of a successful attack.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Vulnerability enables cross-context file read/write via SCP (facilitating T1005 data access) and context isolation bypass (facilitating T1068 privilege escalation from limited admin context).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-14025Shared CWE-279

Affected Assets

Cisco
Secure Firewall
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces access restrictions on SCP file operations so an authenticated user in one context cannot read/write files belonging to another context.

prevent

Limits the privileges granted to a context administrator so they cannot perform cross-context file copy actions even when the CiscoSSH stack is enabled.

prevent

Enforces information-flow policies between security contexts, blocking unauthorized SCP transfers across context boundaries.

References