CVE-2026-20062: Incorrect Execution-Assigned Permissions in Cisco Cisco Secure Firewall Adaptive Security Appliance (ASA) Software
A vulnerability in the CLI of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software in multiple context mode could allow an authenticated, local attacker with administrative privileges in one context to copy files to or from another context, including configuration files. This vulnerability is due to improper access controls for Secure Copy Protocol (SCP) operations when the CiscoSSH stack is enabled. An attacker could exploit this vulnerability by authenticating to a non-admin context of the device and issuing crafted SCP copy commands in that non-admin context. A successful exploit could allow the attacker to read, create, or overwrite sensitive files that belong to another context, including the admin and system contexts. The attacker cannot directly impact the availability of services pertaining to other contexts. To exploit this vulnerability, the attacker must have valid administrative credentials for a non-admin context. Note: An attacker cannot list or enumerate files from another context and would need to know the exact file path, which increases the complexity of a successful attack.
AI Analysis
Technical Summary
CVE-2026-20062 is a vulnerability in the command-line interface (CLI) of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software when operating in multiple context mode. The flaw arises from incorrect execution-assigned permissions related to Secure Copy Protocol (SCP) operations when the CiscoSSH stack is enabled. Specifically, an attacker who has authenticated with administrative privileges in a non-admin context can issue specially crafted SCP copy commands that allow them to copy files to or from other contexts, including the admin and system contexts. This occurs because the access controls for SCP operations do not properly isolate file operations between contexts. Although the attacker cannot list or enumerate files in other contexts, they can read, create, or overwrite files if they know the exact file paths. The vulnerability does not allow direct disruption of service availability for other contexts. Exploitation requires local authenticated access with administrative privileges in at least one non-admin context, increasing the attack complexity. The vulnerability affects a wide range of ASA software versions from 9.17.1 to 9.23.1.3, indicating a long-standing issue across multiple releases. Cisco has assigned a CVSS v3.1 score of 7.2 (high severity), reflecting the significant confidentiality and integrity impacts, though with high attack complexity and requiring privileges. No public exploits have been reported so far. The vulnerability highlights the risks of multi-context environments where improper isolation can lead to cross-context file access.
Potential Impact
The vulnerability poses a significant risk to organizations deploying Cisco ASA in multiple context mode, especially those relying on strict separation between contexts for security. An attacker with administrative access in one context can compromise the confidentiality and integrity of other contexts by reading or modifying sensitive configuration files or system files. This could lead to unauthorized disclosure of sensitive information, unauthorized configuration changes, or persistence mechanisms implanted in other contexts. Although availability is not directly impacted, the integrity compromise could indirectly affect firewall policies or system behavior, potentially weakening overall network security. Given the widespread use of Cisco ASA devices in enterprise and service provider networks worldwide, exploitation could facilitate lateral movement, privilege escalation, or data exfiltration within segmented environments. The requirement for local authenticated access with administrative privileges in a non-admin context limits the attack surface but does not eliminate risk, especially in environments where administrative credentials are shared or compromised. The inability to enumerate files increases attack complexity but does not prevent targeted attacks if file paths are known or guessed. The vulnerability could be leveraged in insider threat scenarios or post-compromise stages of an attack chain.
Mitigation Recommendations
Organizations should immediately verify if their Cisco ASA devices are running affected software versions in multiple context mode and have the CiscoSSH stack enabled. The primary mitigation is to apply Cisco's security patches or software updates that address this vulnerability once available. Until patches are deployed, administrators should restrict SCP access and usage to trusted personnel only and consider disabling SCP operations in non-admin contexts if feasible. Implement strict administrative credential management and monitoring to prevent unauthorized access to any context. Employ network segmentation and access controls to limit local access to ASA devices. Audit and monitor SCP command usage and file access logs for suspicious activity. Educate administrators about the risks of cross-context file operations and enforce the principle of least privilege for context administrators. Consider using alternative secure file transfer methods that enforce proper context isolation. Regularly review and update firewall configurations to detect unauthorized changes potentially resulting from exploitation.
Affected Countries
United States, Canada, United Kingdom, Germany, France, Australia, Japan, South Korea, India, Brazil, Netherlands, Singapore, United Arab Emirates, Israel
CVE-2026-20062: Incorrect Execution-Assigned Permissions in Cisco Cisco Secure Firewall Adaptive Security Appliance (ASA) Software
Description
A vulnerability in the CLI of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software in multiple context mode could allow an authenticated, local attacker with administrative privileges in one context to copy files to or from another context, including configuration files. This vulnerability is due to improper access controls for Secure Copy Protocol (SCP) operations when the CiscoSSH stack is enabled. An attacker could exploit this vulnerability by authenticating to a non-admin context of the device and issuing crafted SCP copy commands in that non-admin context. A successful exploit could allow the attacker to read, create, or overwrite sensitive files that belong to another context, including the admin and system contexts. The attacker cannot directly impact the availability of services pertaining to other contexts. To exploit this vulnerability, the attacker must have valid administrative credentials for a non-admin context. Note: An attacker cannot list or enumerate files from another context and would need to know the exact file path, which increases the complexity of a successful attack.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-20062 is a vulnerability in the command-line interface (CLI) of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software when operating in multiple context mode. The flaw arises from incorrect execution-assigned permissions related to Secure Copy Protocol (SCP) operations when the CiscoSSH stack is enabled. Specifically, an attacker who has authenticated with administrative privileges in a non-admin context can issue specially crafted SCP copy commands that allow them to copy files to or from other contexts, including the admin and system contexts. This occurs because the access controls for SCP operations do not properly isolate file operations between contexts. Although the attacker cannot list or enumerate files in other contexts, they can read, create, or overwrite files if they know the exact file paths. The vulnerability does not allow direct disruption of service availability for other contexts. Exploitation requires local authenticated access with administrative privileges in at least one non-admin context, increasing the attack complexity. The vulnerability affects a wide range of ASA software versions from 9.17.1 to 9.23.1.3, indicating a long-standing issue across multiple releases. Cisco has assigned a CVSS v3.1 score of 7.2 (high severity), reflecting the significant confidentiality and integrity impacts, though with high attack complexity and requiring privileges. No public exploits have been reported so far. The vulnerability highlights the risks of multi-context environments where improper isolation can lead to cross-context file access.
Potential Impact
The vulnerability poses a significant risk to organizations deploying Cisco ASA in multiple context mode, especially those relying on strict separation between contexts for security. An attacker with administrative access in one context can compromise the confidentiality and integrity of other contexts by reading or modifying sensitive configuration files or system files. This could lead to unauthorized disclosure of sensitive information, unauthorized configuration changes, or persistence mechanisms implanted in other contexts. Although availability is not directly impacted, the integrity compromise could indirectly affect firewall policies or system behavior, potentially weakening overall network security. Given the widespread use of Cisco ASA devices in enterprise and service provider networks worldwide, exploitation could facilitate lateral movement, privilege escalation, or data exfiltration within segmented environments. The requirement for local authenticated access with administrative privileges in a non-admin context limits the attack surface but does not eliminate risk, especially in environments where administrative credentials are shared or compromised. The inability to enumerate files increases attack complexity but does not prevent targeted attacks if file paths are known or guessed. The vulnerability could be leveraged in insider threat scenarios or post-compromise stages of an attack chain.
Mitigation Recommendations
Organizations should immediately verify if their Cisco ASA devices are running affected software versions in multiple context mode and have the CiscoSSH stack enabled. The primary mitigation is to apply Cisco's security patches or software updates that address this vulnerability once available. Until patches are deployed, administrators should restrict SCP access and usage to trusted personnel only and consider disabling SCP operations in non-admin contexts if feasible. Implement strict administrative credential management and monitoring to prevent unauthorized access to any context. Employ network segmentation and access controls to limit local access to ASA devices. Audit and monitor SCP command usage and file access logs for suspicious activity. Educate administrators about the risks of cross-context file operations and enforce the principle of least privilege for context administrators. Consider using alternative secure file transfer methods that enforce proper context isolation. Regularly review and update firewall configurations to detect unauthorized changes potentially resulting from exploitation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- cisco
- Date Reserved
- 2025-10-08T11:59:15.356Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69a86ce0d1a09e29cb4f1556
Added to database: 3/4/2026, 5:33:20 PM
Last enriched: 3/11/2026, 7:58:35 PM
Last updated: 4/19/2026, 1:25:17 PM
Views: 67
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.