Cisco Secure Firewall Threat Defense Software up to 7.7.0 Snort Deep Packet Inspection access control

Summaryinfo

A vulnerability was found in Cisco Secure Firewall Threat Defense Software. It has been classified as critical. This affects an unknown part of the component Snort Deep Packet Inspection. Performing a manipulation results in access control. This vulnerability is identified as CVE-2026-20007. The attack can be initiated remotely. There is not any exploit available. Upgrading the affected component is recommended.

Detailsinfo

A vulnerability was found in Cisco Secure Firewall Threat Defense Software. It has been classified as critical. This affects an unknown code block of the component Snort Deep Packet Inspection. The manipulation with an unknown input leads to a access control vulnerability. CWE is classifying the issue as CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

A vulnerability in the Snort 2 and Snort 3 deep packet inspection of Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass configured Snort rules and allow traffic onto the network that should have been dropped. This vulnerability is due to a logic error in the integration of the Snort Engine rules with Cisco Secure FTD Software that could allow different Snort rules to be hit when deep inspection of the packet is performed for the inner and outer connections. An attacker could exploit this vulnerability by sending crafted traffic to a targeted device that would hit configured Snort rules. A successful exploit could allow the attacker to send traffic to a network where it should have been denied.

The advisory is shared at sec.cloudapps.cisco.com. This vulnerability is uniquely identified as CVE-2026-20007 since 10/08/2025. The exploitability is told to be easy. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. Neither technical details nor an exploit are publicly available. The price for an exploit might be around USD $0-$5k at the moment (estimation calculated on 03/04/2026). MITRE ATT&CK project uses the attack technique T1068 for this issue.

Upgrading eliminates this vulnerability.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Type

• Firewall Software

Vendor

• Cisco

Name

• Secure Firewall Threat Defense Software

Version

• 6.4.0
• 6.4.0.1
• 6.4.0.2
• 6.4.0.3
• 6.4.0.4
• 6.4.0.5
• 6.4.0.6
• 6.4.0.7
• 6.4.0.8
• 6.4.0.9
• 6.4.0.10
• 6.4.0.11
• 6.4.0.12
• 6.4.0.13
• 6.4.0.14
• 6.4.0.15
• 6.4.0.16
• 6.4.0.17
• 6.4.0.18
• 7.0.0
• 7.0.0.1
• 7.0.1
• 7.0.1.1
• 7.0.2
• 7.0.2.1
• 7.0.3
• 7.0.4
• 7.0.5
• 7.0.6
• 7.0.6.1
• 7.0.6.2
• 7.0.6.3
• 7.0.7
• 7.0.8
• 7.0.8.1
• 7.1.0
• 7.1.0.1
• 7.1.0.2
• 7.1.0.3
• 7.2.0
• 7.2.0.1
• 7.2.1
• 7.2.2
• 7.2.3
• 7.2.4
• 7.2.4.1
• 7.2.5
• 7.2.5.1
• 7.2.5.2
• 7.2.6
• 7.2.7
• 7.2.8
• 7.2.8.1
• 7.2.9
• 7.2.10
• 7.2.10.2
• 7.3.0
• 7.3.1
• 7.3.1.1
• 7.3.1.2
• 7.4.0
• 7.4.1
• 7.4.1.1
• 7.4.2
• 7.4.2.1
• 7.4.2.2
• 7.4.2.3
• 7.4.2.4
• 7.6.0
• 7.6.1
• 7.6.2
• 7.6.2.1
• 7.7.0

License

• commercial

Website

• Vendor: https://www.cisco.com/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion