CVE-2026-20007
Logic Flaw in Cisco Snort Enables Remote Traffic Bypass
Publication date: 2026-03-04
Last updated on: 2026-03-04
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | secure_firewall_threat_defense | 2 |
| cisco | secure_firewall_threat_defense | 3 |
| cisco | secure_firewall_threat_defense | * |
| cisco | snort | 2 |
| cisco | snort | 3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-20007 is a medium-severity vulnerability in Cisco Secure Firewall Threat Defense (FTD) Software affecting the Snort 2 and Snort 3 deep packet inspection engines.
The vulnerability arises from a logic error in how Snort Engine rules are integrated with Cisco Secure FTD, causing inconsistent rule matching between the inspection of inner and outer packet connections.
This flaw allows an unauthenticated, remote attacker to bypass configured Snort rules by sending specially crafted traffic that triggers different Snort rules during deep inspection, enabling unauthorized traffic to pass through the firewall that should have been blocked.
How can this vulnerability impact me? :
This vulnerability could allow an unauthenticated, remote attacker to bypass configured Snort rules on Cisco Secure Firewall Threat Defense devices.
As a result, traffic that should have been denied by the firewall could be allowed onto the network.
This could lead to unauthorized access or exposure of the network to potentially malicious traffic.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Cisco provides a Software Checker tool to help customers identify affected versions of Cisco Secure Firewall Threat Defense (FTD) Software that are vulnerable to CVE-2026-20007.
To detect if your system is vulnerable, you should use this Software Checker tool to verify the version of your Cisco Secure FTD Software and determine if it includes the vulnerable Snort 2 or Snort 3 deep packet inspection engines.
Additionally, Cisco provides instructions and resources for determining the Snort version and software compatibility, which can help in assessing exposure to this vulnerability.
No specific network or system commands are provided in the available resources for detecting this vulnerability directly on your network traffic.
What immediate steps should I take to mitigate this vulnerability?
There are no workarounds available for this vulnerability.
The immediate and recommended mitigation step is to upgrade Cisco Secure Firewall Threat Defense (FTD) Software to the fixed versions specified in the Cisco advisory.
Customers should consult Ciscoβs upgrade guides and follow the instructions to apply the fixed software releases to fully remediate the issue.