CVE-2026-20062
Published: 04 March 2026
Summary
CVE-2026-20062 is a high-severity Incorrect Execution-Assigned Permissions (CWE-279) vulnerability in Cisco Secure Firewall (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 0.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-20062 is a vulnerability in the command-line interface (CLI) of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software operating in multiple context mode. It stems from improper access controls for Secure Copy Protocol (SCP) operations when the CiscoSSH stack is enabled, potentially allowing unauthorized file access across contexts. This issue is classified under CWE-279 (Incorrect Default Permissions) with a CVSS v3.1 base score of 7.2 (AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N).
An authenticated, local attacker with administrative privileges in a non-administrative context could exploit this vulnerability by authenticating to that context and issuing crafted SCP copy commands. Successful exploitation enables the attacker to read, create, or overwrite sensitive files belonging to other contexts, including the admin and system contexts. However, the attacker cannot directly impact service availability in those contexts, cannot list or enumerate files from other contexts, and must know the exact file path, which adds complexity to the attack.
For mitigation details, refer to the Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-scpcxt-filecpy-rgeP73nE.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9437
Vulnerability details
A vulnerability in the CLI of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software in multiple context mode could allow an authenticated, local attacker with administrative privileges in one context to copy files to or from another context, including configuration…
more
files. This vulnerability is due to improper access controls for Secure Copy Protocol (SCP) operations when the CiscoSSH stack is enabled. An attacker could exploit this vulnerability by authenticating to a non-admin context of the device and issuing crafted SCP copy commands in that non-admin context. A successful exploit could allow the attacker to read, create, or overwrite sensitive files that belong to another context, including the admin and system contexts. The attacker cannot directly impact the availability of services pertaining to other contexts. To exploit this vulnerability, the attacker must have valid administrative credentials for a non-admin context. Note: An attacker cannot list or enumerate files from another context and would need to know the exact file path, which increases the complexity of a successful attack.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables cross-context file read/write via SCP (facilitating T1005 data access) and context isolation bypass (facilitating T1068 privilege escalation from limited admin context).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access restrictions on SCP file operations so an authenticated user in one context cannot read/write files belonging to another context.
Limits the privileges granted to a context administrator so they cannot perform cross-context file copy actions even when the CiscoSSH stack is enabled.
Enforces information-flow policies between security contexts, blocking unauthorized SCP transfers across context boundaries.