CVE-2026-20006
Received Received - Intake
TLS Protocol Vulnerability in Cisco Snort 3 Causes DoS

Publication date: 2026-03-04

Last updated on: 2026-03-04

Assigner: Cisco Systems, Inc.

Description
A vulnerability in the TLS cryptography functionality of the Snort 3 Detection Engine of Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to unexpectedly restart, resulting in a denial of service (DoS) condition. This vulnerability is due to improper implementation of the TLS protocol. An attacker could exploit this vulnerability by sending a crafted TLS packet to an affected system. A successful exploit could allow the attacker to cause a device that is running Cisco Secure FTD Software to drop network traffic, resulting in a DoS condition.  Note: TLS 1.3 is not affected by this vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-04
Last Modified
2026-03-04
Generated
2026-06-18
AI Q&A
2026-03-04
EPSS Evaluated
2026-06-17
NVD
CVE-2026-20006
EUVD
EUVD-2026-9453
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
cisco firepower_services *
cisco secure_firewall_threat_defense_software *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-388
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-20006 is a medium-severity vulnerability in the TLS cryptography functionality of the Snort 3 Detection Engine within Cisco Secure Firewall Threat Defense (FTD) Software.

The vulnerability is caused by an improper implementation of the TLS protocol, which allows an unauthenticated remote attacker to send specially crafted TLS packets that cause the Snort 3 Detection Engine to unexpectedly restart.

This unexpected restart leads to dropped network traffic and results in a denial of service (DoS) condition. Notably, TLS 1.3 is not affected by this vulnerability.

Impact Analysis

If exploited, this vulnerability can cause the Snort 3 Detection Engine to restart unexpectedly, which leads to dropped network traffic.

The resulting denial of service (DoS) condition can disrupt network security monitoring and traffic inspection, potentially allowing malicious traffic to pass undetected or causing interruptions in network operations.

Compliance Impact

I don't know

Detection Guidance

To detect this vulnerability, you should verify if Snort 3 is enabled on your Cisco Secure Firewall Threat Defense (FTD) device and check the SSL or decryption policy configurations via the Cisco Secure FMC Software management interface.

Specifically, look for SSL or decryption policies that block traffic from specific TLS versions (TLS 1.0, 1.1, or 1.2) or policies that do not decrypt traffic for unsupported cipher suites, as these conditions make the device vulnerable.

Cisco provides a Software Checker tool to identify affected releases and the earliest fixed versions, which can help confirm if your software version is vulnerable.

While no explicit commands are provided in the advisory, using the Cisco Secure FMC Software management interface to review Snort 3 activation and SSL/decryption policy settings is the recommended detection method.

Mitigation Strategies

Immediate mitigation steps include configuring your SSL or decryption policies to allow traffic from all TLS versions by enabling all TLS version checkboxes in the policy rules, thereby avoiding blocking specific TLS versions.

Be aware that these workarounds may impact network functionality or performance, so they should be tested before deployment.

The most effective mitigation is to upgrade to the fixed software versions released by Cisco that fully remediate the vulnerability.

Using the Cisco Software Checker tool can help identify the appropriate fixed versions for your environment.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20006. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart