CVE-2026-20102
Reflected XSS in Cisco Secure Firewall SAML 2.0 SSO
Publication date: 2026-03-04
Last updated on: 2026-04-16
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | adaptive_security_appliance_software | From 9.16.1 (inc) to 9.16.4.89 (exc) |
| cisco | adaptive_security_appliance_software | From 9.17.1 (inc) to 9.18.4.71 (exc) |
| cisco | adaptive_security_appliance_software | From 9.20.1 (inc) to 9.20.4.19 (exc) |
| cisco | adaptive_security_appliance_software | From 9.22.1.1 (inc) to 9.22.2.32 (exc) |
| cisco | adaptive_security_appliance_software | From 9.23.1 (inc) to 9.23.1.26 (exc) |
| cisco | firepower_threat_defense_software | From 7.1.0 (inc) to 7.2.11 (exc) |
| cisco | firepower_threat_defense_software | From 7.0.0 (inc) to 7.0.9 (exc) |
| cisco | firepower_threat_defense_software | From 7.4.0 (inc) to 7.4.3 (exc) |
| cisco | firepower_threat_defense_software | From 7.6.0 (inc) to 10.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'This vulnerability is a reflected Cross-Site Scripting (XSS) issue in the SAML 2.0 single sign-on (SSO) feature of Cisco Secure Firewall ASA and Threat Defense Software. It occurs because the software does not properly validate multiple HTTP parameters used in the SAML feature.'}, {'type': 'paragraph', 'content': "An unauthenticated, remote attacker can exploit this by tricking a user into clicking a malicious link. When the user accesses this link, the attacker can execute a reflected XSS attack, which allows them to access sensitive information stored in the user's browser."}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'If exploited, this vulnerability can allow an attacker to perform a reflected XSS attack, leading to unauthorized access to sensitive browser-based information of the user.'}, {'type': 'paragraph', 'content': "This could compromise user data confidentiality and integrity by exposing sensitive information through the victim's browser."}, {'type': 'paragraph', 'content': 'The attack requires the user to interact by clicking a malicious link, but no authentication or privileges are needed by the attacker.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by verifying the configuration of the SAML 2.0 single sign-on (SSO) feature and related VPN settings on Cisco Secure Firewall ASA or Secure FTD devices.
- Use the command `show webvpn saml idp` to check the SAML 2.0 Identity Provider (IdP) configuration.
- Use the command `show running-config tunnel-group | include remote-access|webvpn-attributes|saml` to check the SAML 2.0 Service Provider (SP) configuration.
- Use the command `show running-config` to verify remote access VPN settings, looking specifically for `crypto ikev2 enable <interface>` for IKEv2 and `webvpn enable <interface>` for SSL VPN, which indicate vulnerable configurations.
What immediate steps should I take to mitigate this vulnerability?
There are no available workarounds for this vulnerability. The immediate mitigation step is to upgrade to the fixed software releases provided by Cisco.
Cisco strongly recommends applying the software updates that remediate this issue as detailed in their security advisory.
If you do not have a direct Cisco service contract, contact Cisco TAC for assistance in obtaining the fixed software.