CVE-2026-20062
📋 TL;DR
This vulnerability allows authenticated local administrators in one context of Cisco ASA multi-context mode to copy files to/from other contexts via SCP when CiscoSSH is enabled. Attackers can read, create, or overwrite sensitive files in other contexts including admin and system contexts. Only affects Cisco ASA devices running in multi-context mode with CiscoSSH enabled.
💻 Affected Systems
- Cisco Secure Firewall Adaptive Security Appliance (ASA) Software
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker with admin credentials in a non-admin context could overwrite configuration files in admin/system contexts, potentially gaining full control of the firewall or exfiltrating sensitive configuration data.
Likely Case
Privileged attacker in one context reads or modifies configuration files in another context, potentially escalating privileges or disrupting specific services.
If Mitigated
With proper access controls and monitoring, impact is limited to unauthorized file access within the same administrative trust boundary.
🎯 Exploit Status
Requires valid administrative credentials for a non-admin context and knowledge of exact file paths in target contexts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Cisco advisory for specific fixed versions
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-scpcxt-filecpy-rgeP73nE
Restart Required: Yes
Instructions:
1. Review Cisco advisory for affected versions. 2. Upgrade to fixed version. 3. Restart ASA device. 4. Verify fix by testing SCP operations between contexts.
🔧 Temporary Workarounds
Disable CiscoSSH
cisco-asaDisable the CiscoSSH stack to prevent exploitation via SCP
no ssh scopy enable
Restrict administrative access
allLimit administrative access to trusted personnel only
🧯 If You Can't Patch
- Disable CiscoSSH stack if not required
- Implement strict access controls and monitor for unusual SCP activity between contexts
🔍 How to Verify
Check if Vulnerable:
Check if device is in multi-context mode and CiscoSSH is enabled: 'show running-config | include ssh scopy'Check Version:
show version | include VersionVerify Fix Applied:
After patching, verify SCP operations are properly restricted between contexts📡 Detection & Monitoring
Log Indicators:
- Unusual SCP copy operations between different contexts
- Failed SCP attempts targeting other contexts
Network Indicators:
- SCP traffic between contexts from non-admin sources
SIEM Query:
source="asa" AND (event_type="ssh" OR protocol="scp") AND (src_context!=dst_context)