Cisco patches critical vulnerability in ASA and Firepower

Cisco released several security patches on Wednesday to fix various software vulnerabilities that could be used to leak sensitive information on affected devices/solutions.

The vulnerability classified as (CVE-2022-20866) has been considered by Cisco to have a high level on the CVSS scale (CVSS score: 7.4). The vulnerability has been described as a “logical error” when handling RSA keys on devices running Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software.

This vulnerability could be exploited through a side channel attack to discover patterns that would allow the device’s secret encryption key to be revealed. If an attacker obtains an RSA private key, they could use it to impersonate a device running Cisco ASA Software or Cisco FTD Software or to decrypt traffic from the device.

Affected Products

The Cisco company has recently published a security advisory about its affected products:


Cisco recommends updating and patching the affected products, for which it has published software updates that fix the described vulnerabilities and can be downloaded from the Software Center.