CVE-2026-20101

High

Published: 04 March 2026

Published

04 March 2026

Modified

16 April 2026

KEV Added

—

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

EPSS Score 0.0015 35.1th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability in the SAML 2.0 single sign-on (SSO) feature of Cisco Secure Firewall ASA Software and Secure FTD Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a DoS condition. This vulnerability…

is due to insufficient error checking when processing SAML messages. An attacker could exploit this vulnerability by sending crafted SAML messages to the SAML service. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

Mitigating Controls (NIST 800-53 r5)AI

SI-11 Error Handling good match

prevent

Directly addresses insufficient error checking in SAML message processing by ensuring errors do not cause system reloads or reveal internal state.

SI-10 Information Input Validation good match

prevent

Requires validation of SAML messages at entry points to reject crafted or malformed inputs before processing.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation through patching the specific SAML processing vulnerability as provided in the Cisco advisory.

Security SummaryAI

CVE-2026-20101 is a vulnerability in the SAML 2.0 single sign-on (SSO) feature of Cisco Secure Firewall ASA Software and Secure FTD Software. The issue stems from insufficient error checking when processing SAML messages, which could allow an unauthenticated, remote attacker to cause the affected device to reload unexpectedly, resulting in a denial-of-service (DoS) condition. It is rated with a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) and is associated with CWE-330.

An unauthenticated, remote attacker can exploit this vulnerability by sending crafted SAML messages to the SAML service on the device. A successful exploit causes the device to reload, leading to a DoS condition that disrupts network traffic processing.

The Cisco Security Advisory provides details on mitigation and patches: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-vpn-m9sx6MbC.

Details

CWE(s): CWE-330

Affected Products

cisco

adaptive security appliance software

9.12.1 — 9.16.4.85 · 9.17.1 — 9.18.4.66 · 9.19.1 — 9.20.4

cisco

firepower threat defense software

6.4.0 — 7.0.9 · 7.1.0 — 7.2.11 · 7.3.0 — 7.4.3

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated remote attackers to send crafted SAML messages, causing the firewall device to reload and resulting in a denial-of-service condition via application exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-vpn-m9sx6MbC
Vendor Advisory · psirt@cisco.com