CVE-2026-20008
Lua Code Injection in Cisco ASA/FTD CLI Allows Root Access
Publication date: 2026-03-04
Last updated on: 2026-04-16
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | adaptive_security_appliance_software | From 9.12.1 (inc) to 9.16.4.85 (exc) |
| cisco | adaptive_security_appliance_software | From 9.17.1 (inc) to 9.18.4.66 (exc) |
| cisco | adaptive_security_appliance_software | From 9.19.1 (inc) to 9.20.4 (exc) |
| cisco | adaptive_security_appliance_software | From 9.22.1.1 (inc) to 9.22.2.4 (exc) |
| cisco | adaptive_security_appliance_software | From 9.23.1 (inc) to 9.23.1.7 (exc) |
| cisco | firepower_threat_defense_software | From 6.4.0 (inc) to 7.0.9 (exc) |
| cisco | firepower_threat_defense_software | From 7.1.0 (inc) to 7.2.11 (exc) |
| cisco | firepower_threat_defense_software | From 7.3.0 (inc) to 7.4.3 (exc) |
| cisco | firepower_threat_defense_software | From 7.6.0 (inc) to 7.6.4 (exc) |
| cisco | firepower_threat_defense_software | From 7.7.0 (inc) to 7.7.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software. It arises because certain CLI commands that accept Lua code parameters do not properly sanitize user input.
An authenticated local attacker with valid Administrator credentials can exploit this by crafting and submitting malicious Lua code through these CLI commands. Successful exploitation allows the attacker to inject and execute arbitrary Lua code with root privileges on the underlying operating system.
This leads to a full compromise of the affected device.
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker with Administrator credentials to execute arbitrary code as the root user on the device.
This means the attacker can fully compromise the device, potentially gaining complete control over its operations and data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by using the Cisco Software Checker tool, which helps determine exposure and identify fixed software releases for Cisco Secure Firewall ASA and Secure FTD Software.
There are no specific commands provided in the available resources to detect this vulnerability directly on your system or network.
What immediate steps should I take to mitigate this vulnerability?
There are no available workarounds or mitigations for this vulnerability.
Cisco strongly recommends upgrading to fixed software releases to fully remediate the issue.
Before applying updates, ensure compatibility and sufficient device resources by following Ciscoβs upgrade guides.