#VU123563 Improper neutralization of special elements in Cisco Adaptive Security Appliance (ASA) - CVE-2026-20009
Published: March 5, 2026
Vulnerability identifier: #VU123563
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-20009
CWE-ID: CWE-138
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Cisco Adaptive Security Appliance (ASA)
Cisco Adaptive Security Appliance (ASA)
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerability allows a remote attacker to impersonate other users.
The vulnerability exists due to insufficient validation of user input during the SSH authentication phase in the implementation of the proprietary SSH stack with SSH key-based authentication. A remote attacker with knowledge of username and the associated public key can submit specially crafted input during SSH authentication to an affected device and log in to the device as a specific user without the private SSH key of that user.
Remediation
Install updates from vendor's website.