Cyber Resilience

CVE-2026-20101

High

Published: 04 March 2026

Published
04 March 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS Score 0.0035 27.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-20101 is a high-severity Use of Insufficiently Random Values (CWE-330) vulnerability in Cisco Adaptive Security Appliance Software. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 27.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Deeper analysis

CVE-2026-20101 is a vulnerability in the SAML 2.0 single sign-on (SSO) feature of Cisco Secure Firewall ASA Software and Secure FTD Software. The issue stems from insufficient error checking when processing SAML messages, which could allow an unauthenticated, remote attacker to cause the affected device to reload unexpectedly, resulting in a denial-of-service (DoS) condition. It is rated with a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) and is associated with CWE-330.

An unauthenticated, remote attacker can exploit this vulnerability by sending crafted SAML messages to the SAML service on the device. A successful exploit causes the device to reload, leading to a DoS condition that disrupts network traffic processing.

The Cisco Security Advisory provides details on mitigation and patches: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-vpn-m9sx6MbC.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability in the SAML 2.0 single sign-on (SSO) feature of Cisco Secure Firewall ASA Software and Secure FTD Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a DoS condition. This vulnerability…

more

is due to insufficient error checking when processing SAML messages. An attacker could exploit this vulnerability by sending crafted SAML messages to the SAML service. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The vulnerability allows unauthenticated remote attackers to send crafted SAML messages, causing the firewall device to reload and resulting in a denial-of-service condition via application exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-20014Same product: Cisco Adaptive Security Appliance Software
CVE-2026-20049Same product: Cisco Adaptive Security Appliance Software
CVE-2026-20105Same product: Cisco Adaptive Security Appliance Software
CVE-2026-20039Same product: Cisco Adaptive Security Appliance Software
CVE-2026-20103Same product: Cisco Adaptive Security Appliance Software
CVE-2026-20100Same product: Cisco Adaptive Security Appliance Software
CVE-2026-20082Same product: Cisco Adaptive Security Appliance Software
CVE-2025-20169Same vendor: Cisco
CVE-2025-20176Same vendor: Cisco
CVE-2025-20115Same vendor: Cisco

Affected Assets

cisco
adaptive security appliance software
9.12.1 — 9.16.4.85 · 9.17.1 — 9.18.4.66 · 9.19.1 — 9.20.4
cisco
firepower threat defense software
6.4.0 — 7.0.9 · 7.1.0 — 7.2.11 · 7.3.0 — 7.4.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses insufficient error checking in SAML message processing by ensuring errors do not cause system reloads or reveal internal state.

prevent

Requires validation of SAML messages at entry points to reject crafted or malformed inputs before processing.

prevent

Mandates timely flaw remediation through patching the specific SAML processing vulnerability as provided in the Cisco advisory.

References