CVE-2026-20082

High

Published: 04 March 2026

Published

04 March 2026

Modified

04 May 2026

KEV Added

—

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

EPSS Score 0.0015 35.5th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability in the handling of the embryonic connection limits in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause incoming TCP SYN packets to be dropped incorrectly. This vulnerability is due to…

improper handling of new, incoming TCP connections that are destined to management or data interfaces when the device is under a TCP SYN flood attack. An attacker could exploit this vulnerability by sending a crafted stream of traffic to an affected device. A successful exploit could allow the attacker to prevent all incoming TCP connections to the device from being established, including remote management access, Remote Access VPN (RAVPN) connections, and all network protocols that are TCP-based. This results in a denial of service (DoS) condition for affected features.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the vulnerability by requiring timely patching of the flaw in embryonic connection handling during TCP SYN floods.

SC-5 Denial-of-service Protection good match

prevent

Implements denial-of-service protections specifically against TCP SYN flood attacks that trigger the improper dropping of legitimate connections.

SC-6 Resource Availability partial match

prevent

Ensures resource availability for connection tables and limits embryonic connections to prevent exhaustion and DoS from floods.

Security SummaryAI

CVE-2026-20082 is a vulnerability in the handling of embryonic connection limits in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software. The issue causes incoming TCP SYN packets to be dropped incorrectly due to improper processing of new TCP connections destined for management or data interfaces during a TCP SYN flood attack.

An unauthenticated, remote attacker can exploit this vulnerability by sending a crafted stream of traffic to an affected device. Successful exploitation prevents all incoming TCP connections from being established, including remote management access, Remote Access VPN (RAVPN) connections, and TCP-based network protocols, resulting in a denial-of-service (DoS) condition. The vulnerability has a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) and is associated with CWE-772.

The Cisco Security Advisory provides details on mitigation and patch information at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-dos-FCvLD6vR.

Details

CWE(s): CWE-772

Affected Products

cisco

adaptive security appliance software

9.20.4.14 — 9.20.4.19

MITRE ATT&CK Enterprise TechniquesAI

T1498.001 Direct Network Flood Impact

Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target.

attack.mitre.org →

Why these techniques?

Vulnerability facilitates denial-of-service via crafted TCP SYN flood traffic, directly enabling Network Denial of Service through Direct Network Flood.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-dos-FCvLD6vR
Vendor Advisory · psirt@cisco.com