Skip to content
Veteran-Owned. Built by engineers who've actually done the work.
← All briefs
critical CVE-2026-20114

Cisco ASA / FTD pre-auth memory corruption — added to KEV

Pre-auth RCE in the WebVPN SSL handler. We're seeing scanning from three known initial-access broker IP ranges. Patch level required: ASA 9.20.2.10, FTD 7.4.2.

AI-assisted Drafted by Carbynix's structured-reasoning pipeline. Sources linked below. Errors? Tell us — we correct in 24 hours.

What happened

A pre-authentication memory corruption in the WebVPN SSL handler of Cisco ASA and FTD lets an unauthenticated remote attacker execute arbitrary code by sending a crafted SSL handshake to TCP/443. CISA added it to the KEV catalog this morning. We have observed scanning probes from three IP ranges previously attributed to initial-access brokers.

Who is affected

  • Cisco ASA software 9.18.x, 9.19.x, 9.20.x prior to 9.20.2.10
  • Cisco FTD 7.2.x, 7.4.x prior to 7.4.2
  • WebVPN must be enabled on a public-facing interface (the default for many SSL-VPN deployments)

What this enables for an attacker

Remote code execution as the appliance’s privileged user. From there:

  • Modify firewall rules silently
  • Capture VPN sessions in flight (initial credential collection)
  • Pivot into the inside zone with the appliance’s trust posture
  • Establish persistence outside any host-based EDR’s visibility

What to do this week

  1. Patch immediately. ASA 9.20.2.10, FTD 7.4.2. Reboot required.
  2. If you cannot patch in the next 48 hours, disable WebVPN on public interfaces. The appliance can serve IPSec-only tunnels in the meantime.
  3. Hunt for known IOCs from the Cisco advisory in your appliance running config, especially newly-modified ACLs, VPN profiles, or SSL certificates added since April 11.
  4. Reset all VPN user credentials that were active in the trailing 14-day window. If the appliance was compromised, every session it served is potentially harvested.

The math, plainly

A perimeter compromise via a federal-grade VPN appliance typically runs $400K–$1.2M for a mid-market firm because lateral movement and exfiltration windows are wide. Patching takes 90 minutes. Disabling WebVPN takes five.

Drafted by Carbynix’s structured-reasoning pipeline from the CISA KEV feed, the Cisco PSIRT advisory, and customer-environment scanning telemetry. Errors? Tell us — we correct in 24 hours.