CVE-2026-20066 is a vulnerability found in the Snort 3 Detection Engine component of Cisco Secure Firewall Threat Defense (FTD) software, specifically in the JSTokenizer normalization logic used during HTTP inspection of JavaScript content. The flaw causes the Snort 3 engine to restart unexpectedly when processing specially crafted HTTP packets containing malicious JavaScript payloads. This uncontrolled resource consumption leads to a denial-of-service (DoS) condition by interrupting the firewall's packet inspection capabilities. The vulnerability affects numerous versions of Cisco FTD software ranging from 7.4.0 through 7.7.10.1, with the JSTokenizer feature not enabled by default, which reduces the attack surface. Exploitation requires no authentication or user interaction and can be performed remotely over the network. The CVSS v3.1 base score is 5.8, reflecting medium severity due to the impact on availability without compromising confidentiality or integrity. No known public exploits have been reported to date. The root cause lies in an error in the JSTokenizer’s handling of JavaScript normalization, which when triggered, causes the detection engine to restart, temporarily disabling packet inspection and potentially allowing malicious traffic to pass uninspected during that window.

The primary impact of this vulnerability is a denial-of-service condition affecting the availability of Cisco Secure Firewall Threat Defense’s packet inspection capabilities. When exploited, the Snort 3 Detection Engine restarts, causing temporary interruption in traffic inspection and potentially allowing malicious or unauthorized traffic to bypass security controls. This can degrade network security posture and increase the risk of further attacks or data exfiltration during the downtime. Organizations relying on Cisco FTD for perimeter defense or internal segmentation may experience reduced effectiveness of their intrusion detection and prevention systems. Although confidentiality and integrity are not directly impacted, the loss of availability can have cascading effects on overall network security and operational continuity. The fact that exploitation requires no authentication and can be performed remotely increases the risk, especially in environments where JSTokenizer is enabled. However, since JSTokenizer is disabled by default, the exposure is somewhat limited. No known exploits in the wild reduce immediate risk but do not eliminate the need for remediation.

1. Apply Cisco’s security updates and patches for all affected versions of Cisco Secure Firewall Threat Defense software as soon as they become available. 2. If JSTokenizer functionality is not required for your environment, disable it to reduce the attack surface. 3. Monitor network traffic for unusual HTTP packets that could indicate attempts to exploit this vulnerability, focusing on JavaScript content inspection. 4. Implement network segmentation and strict access controls to limit exposure of Cisco FTD devices to untrusted networks. 5. Regularly audit and update firewall and intrusion detection/prevention system configurations to ensure best practices are followed. 6. Employ layered security controls such as endpoint protection and network anomaly detection to mitigate risks during potential downtime of the Snort engine. 7. Maintain up-to-date incident response plans to quickly address any denial-of-service events impacting firewall inspection capabilities.