CVE-2026-20101
Published: 04 March 2026
Summary
CVE-2026-20101 is a high-severity Use of Insufficiently Random Values (CWE-330) vulnerability in Cisco Adaptive Security Appliance Software. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 36.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses insufficient error checking in SAML message processing by ensuring errors do not cause system reloads or reveal internal state.
Requires validation of SAML messages at entry points to reject crafted or malformed inputs before processing.
Mandates timely flaw remediation through patching the specific SAML processing vulnerability as provided in the Cisco advisory.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote attackers to send crafted SAML messages, causing the firewall device to reload and resulting in a denial-of-service condition via application exploitation.
NVD Description
A vulnerability in the SAML 2.0 single sign-on (SSO) feature of Cisco Secure Firewall ASA Software and Secure FTD Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a DoS condition. This vulnerability…
more
is due to insufficient error checking when processing SAML messages. An attacker could exploit this vulnerability by sending crafted SAML messages to the SAML service. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.
Deeper analysisAI
CVE-2026-20101 is a vulnerability in the SAML 2.0 single sign-on (SSO) feature of Cisco Secure Firewall ASA Software and Secure FTD Software. The issue stems from insufficient error checking when processing SAML messages, which could allow an unauthenticated, remote attacker to cause the affected device to reload unexpectedly, resulting in a denial-of-service (DoS) condition. It is rated with a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) and is associated with CWE-330.
An unauthenticated, remote attacker can exploit this vulnerability by sending crafted SAML messages to the SAML service on the device. A successful exploit causes the device to reload, leading to a DoS condition that disrupts network traffic processing.
The Cisco Security Advisory provides details on mitigation and patches: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-vpn-m9sx6MbC.
Details
- CWE(s)