Security Experts:

Connect with us

Hi, what are you looking for?



Cisco Patches High-Severity Vulnerability in Security Solutions

Cisco this week announced the release of patches for a high-severity vulnerability in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software that could allow an unauthenticated attacker to leak an RSA private key.

Cisco this week announced the release of patches for a high-severity vulnerability in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software that could allow an unauthenticated attacker to leak an RSA private key.

The ASA software is the core operating system of Cisco’s ASA security devices, which provide protection to data centers and corporate networks, while the FTD software delivers next-generation firewall services.

Tracked as CVE-2022-20866, the vulnerability exists because of “a logic error when the RSA key is stored in memory on a hardware platform that performs hardware-based cryptography,” Cisco notes in its advisory.

A threat actor using a Lenstra side-channel attack against a vulnerable device could exploit the security bug to retrieve the RSA private key.

“This vulnerability will apply to approximately 5 percent of the RSA keys on a device that is running a vulnerable release of Cisco ASA Software or Cisco FTD Software; not all RSA keys are expected to be affected due to mathematical calculations applied to the RSA key,” Cisco explains.

The tech company also notes that a valid RSA key may have specific characteristics making it vulnerable to the leak, or may be malformed and invalid, being created by a vulnerable software release that created an invalid RSA signature – leading to failed verification.

In either case, an attacker may use the obtained RSA private key to impersonate a device running ASA or FTD software, or to decrypt the device traffic.

The vulnerability, Cisco explains, impacts the following ASA devices with FirePOWER services: ASA 5506-X, ASA 5506H-X, ASA 5506W-X, ASA 5508-X, and ASA 5516-X, as well as the Firepower 1000 series next-gen firewalls, the Firepower 2100, 4100, and 9300 series security appliances, and the Secure Firewall 3100 products.

Only ASA software releases 9.16.1 and later and FTD software releases 7.0.0 and later are impacted by this vulnerability. ASA software releases,, and 9.18.2, and FTD software releases 7.0.4,, and address the security flaw.

“As the result of this vulnerability, Cisco ASA or FTD device administrators may need to remove malformed or susceptible RSA keys and possibly revoke any certificates associated with those RSA keys. This is because it is possible the RSA private key has been leaked to a malicious actor,” Cisco says.

The tech company also notes that information on this vulnerability has already been made public, but that it is not aware of any exploitation attempts.

On Wednesday, Cisco also announced patches for a request smuggling vulnerability in the Clientless SSL VPN (WebVPN) component of ASA software, which could allow an unauthenticated, remote attacker to launch attacks from the browser, by tricking the victim into accessing a malicious website.

Cisco deprecated support for the vulnerable component in ASA software release 9.17(1) and encourages customers to upgrade to a non-vulnerable release. As a possible workaround, customers could disable the Clientless SSL VPN feature, which could impact functionality or performance.

Tracked as CVE-2022-20713, the vulnerability is considered ‘medium severity’, but proof-of-concept exploit code targeting the bug is already available publicly.

In coordination with a Rapid7 talk at the Black Hat 2022 conference in Las Vegas, Cisco also updated a series of previously published advisories detailing high- and medium-severity vulnerabilities in ASA software, Adaptive Security Device Manager (ASDM), and FTD software.

Some of these vulnerabilities – such as CVE-2022-20651, CVE-2022-20828, and others – have already been addressed, but others have yet to be properly fixed, or they have yet to receive a patch at all.

Rapid7 has published a blog post detailing its findings. The cybersecurity firm has identified 10 issues, but it has not reached a consensus with Cisco regarding the impact and resolution of some flaws.

Related: Cisco Patches Critical Vulnerability in Email Security Appliance

Related: Cisco Warns of Exploitation Attempts Targeting New IOS XR Vulnerability

Related: Cisco Patches 11 High-Severity Vulnerabilities in Security Products

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.