CVE-2026-20049
📋 TL;DR
This vulnerability allows authenticated remote attackers to cause denial of service on Cisco ASA and FTD firewalls by sending specially crafted GCM-encrypted IPsec traffic. Attackers need valid VPN credentials to exploit this memory allocation flaw, which triggers device reloads. Organizations using affected Cisco firewall versions with IPsec VPNs are at risk.
💻 Affected Systems
- Cisco Secure Firewall Adaptive Security Appliance (ASA) Software
- Cisco Secure Firewall Threat Defense (FTD) Software
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Continuous DoS attacks causing repeated device reloads, making VPN services unavailable and potentially disrupting network connectivity for extended periods.
Likely Case
Intermittent DoS events causing temporary VPN service disruption and device instability during exploitation attempts.
If Mitigated
Minimal impact with proper access controls, monitoring, and timely patching preventing successful exploitation.
🎯 Exploit Status
Requires valid VPN credentials and ability to send crafted GCM-encrypted IPsec packets. Memory corruption leads to DoS rather than code execution.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to Cisco advisory for specific fixed versions
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-esp-dos-uv7yD8P5
Restart Required: Yes
Instructions:
1. Review Cisco advisory for affected versions. 2. Download appropriate fixed software from Cisco. 3. Schedule maintenance window. 4. Backup configuration. 5. Apply update following Cisco upgrade procedures. 6. Verify functionality post-update.
🔧 Temporary Workarounds
Disable GCM encryption for IPsec
allConfigure IPsec VPN to use encryption modes other than GCM (Galois/Counter Mode)
crypto ipsec transform-set MYTRANSFORM esp-aes esp-sha-hmac
Restrict VPN access
allImplement strict VPN access controls and monitor for suspicious authentication attempts
🧯 If You Can't Patch
- Implement network segmentation to isolate VPN traffic and limit blast radius
- Enable aggressive logging and monitoring for VPN connection anomalies and device reloads
🔍 How to Verify
Check if Vulnerable:
Check ASA/FTD version against Cisco advisory and verify IPsec VPN with GCM encryption is configuredCheck Version:
show version (ASA) or show version (FTD)Verify Fix Applied:
Verify software version is updated to fixed release and test IPsec VPN functionality📡 Detection & Monitoring
Log Indicators:
- Unexpected device reloads
- Memory allocation failures in system logs
- VPN connection anomalies
- IPsec tunnel establishment failures
Network Indicators:
- Abnormal patterns of GCM-encrypted IPsec traffic
- VPN connection attempts followed by device instability
SIEM Query:
source="cisco-asa" OR source="cisco-ftd" (reload OR crash OR "%ASA-3-" OR memory) AND (ipsec OR vpn OR ikev2)