CVE-2026-20009
SSH Authentication Bypass in Cisco ASA Allows Remote User Access
Publication date: 2026-03-04
Last updated on: 2026-04-16
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | adaptive_security_appliance_software | From 9.17.1 (inc) to 9.18.4.71 (exc) |
| cisco | adaptive_security_appliance_software | From 9.19.1 (inc) to 9.20.4.10 (exc) |
| cisco | adaptive_security_appliance_software | From 9.23.1 (inc) to 9.23.1.19 (exc) |
| cisco | adaptive_security_appliance_software | From 9.22.1.1 (inc) to 9.22.2.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-138 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as control elements or syntactic markers when they are sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the proprietary SSH stack implementation of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software when using SSH key-based authentication.
Due to insufficient validation of user input during the SSH authentication phase, an unauthenticated remote attacker who has a valid username and the associated public key—but not the private key—can submit specially crafted input to bypass the private key requirement.
This allows the attacker to log in as that specific user and execute commands on the affected device.
However, exploitation does not grant root or administrative privileges, and certain AAA configuration commands are not affected.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'An attacker exploiting this vulnerability can remotely log in to a Cisco Secure Firewall ASA device as a specific user without needing the private SSH key.'}, {'type': 'paragraph', 'content': 'This unauthorized access allows the attacker to execute commands on the device with the privileges of that user.'}, {'type': 'paragraph', 'content': "While the attacker does not gain root or administrative access, this could still lead to unauthorized actions, potential disruption, or information disclosure depending on the user's permissions."}, {'type': 'paragraph', 'content': 'There are no known workarounds, so remediation requires upgrading to fixed software versions.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect if your Cisco Secure Firewall ASA device is vulnerable to CVE-2026-20009, you should verify if the Cisco SSH stack is enabled and if SSH key-based authentication is configured.
- Check for the Cisco SSH stack with the command: `show running-config | include ssh` and look for the presence of `ssh stack ciscossh`.
- Confirm SSH key-based authentication by checking for `ssh authentication publickey` in the running configuration.
Additionally, use the Cisco Software Checker tool to identify affected software versions and verify if your device is running a vulnerable release.
What immediate steps should I take to mitigate this vulnerability?
There are no workarounds available for this vulnerability. The immediate and recommended mitigation step is to upgrade your Cisco Secure Firewall ASA devices to the fixed software releases provided by Cisco.
Ensure that your devices are running a version of ASA Software that includes the fix for this vulnerability, as listed in the Cisco security advisory.
Use the Cisco Software Checker tool to identify affected versions and obtain the appropriate fixed releases.