CVE-2026-20058
📋 TL;DR
This vulnerability in Cisco products allows remote attackers to crash the Snort 3 detection engine by sending specially crafted VBA data, causing denial of service. It affects multiple Cisco security appliances running vulnerable Snort 3 versions. The attack requires no authentication and can be performed remotely.
💻 Affected Systems
- Cisco Firepower Threat Defense (FTD)
- Cisco Secure Firewall Management Center
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Sustained DoS attacks could keep Snort 3 detection engine in a restart loop, effectively disabling intrusion prevention and detection capabilities for extended periods.
Likely Case
Temporary disruption of Snort 3 detection engine causing brief security monitoring gaps until automatic restart completes.
If Mitigated
Minimal impact with proper network segmentation and monitoring; detection engine restarts automatically but creates brief security coverage gaps.
🎯 Exploit Status
Attack requires sending specially crafted VBA data to trigger the vulnerability. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Snort 3 version 3.2.0.0 or later
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-snort3-vbavuls-96UcVVed
Restart Required: Yes
Instructions:
1. Upgrade to Snort 3 version 3.2.0.0 or later. 2. Apply Cisco FTD software updates that include the fixed Snort 3 version. 3. Restart affected services or devices as required.
🔧 Temporary Workarounds
Disable VBA inspection
allTemporarily disable VBA file inspection in Snort 3 policies to prevent exploitation while patching
configure policy
edit snort3-policy-name
no inspect vba
commit
Network segmentation
allRestrict access to Snort 3 inspection interfaces to trusted networks only
🧯 If You Can't Patch
- Implement strict network segmentation to limit exposure to untrusted traffic
- Enable monitoring and alerting for Snort 3 process restarts and crashes
🔍 How to Verify
Check if Vulnerable:
Check Snort 3 version: show version | include SnortCheck Version:
show version | include SnortVerify Fix Applied:
Verify Snort 3 version is 3.2.0.0 or later: show version | include Snort📡 Detection & Monitoring
Log Indicators:
- Snort 3 process crashes
- Unexpected Snort 3 restarts
- DoS alerts related to VBA processing
Network Indicators:
- Unusual VBA traffic patterns to security appliances
- Traffic spikes followed by service interruptions
SIEM Query:
source="cisco-ftd" AND (event_type="crash" OR event_type="restart") AND process="snort3"