Cisco Snort 3 MIME Flaws Expose Firewalls to DoS and Data Leaks

Cisco has updated its advisory for two vulnerabilities in Snort 3's MIME decoder that could let remote attackers crash the detection engine or leak sensitive network traffic. First published in October 2025, the advisory now confirms that patches for Cisco Meraki appliances are scheduled for release this month.

TL;DR

• What happened: Buffer handling flaws in Snort 3's HTTP MIME parser allow unauthenticated DoS and potential data disclosure
• Who's affected: Cisco Secure Firewall Threat Defense, Meraki MX appliances, IOS XE with UTD, and open-source Snort 3
• Severity: Medium (CVSS 6.5 and 5.8)
• Action required: Update to Snort 3.9.6.0 or apply vendor-specific patches as they become available

What Are These Vulnerabilities?

Two distinct flaws affect how Snort 3 processes MIME headers in HTTP traffic:

CVE-2025-20359 stems from a buffer under-read condition when parsing MIME fields. An attacker can send crafted HTTP packets through an established connection, causing the Snort 3 detection engine to either crash and restart or leak data from adjacent memory buffers. The NVD entry for CVE-2025-20359 assigns this a CVSS base score of 6.5.

CVE-2025-20360 results from incomplete error checking during MIME header parsing. While this flaw can also crash the detection engine, it lacks the information disclosure component of its sibling vulnerability. Cisco rates it at CVSS 5.8.

Both vulnerabilities share a common weakness pattern—CWE-127 (Buffer Under-read) and CWE-805 (Buffer Access with Incorrect Length Value)—indicating flawed boundary checking in the HTTP decoder's memory operations.

How Could Attackers Exploit This?

Exploitation requires an attacker to send malformed HTTP packets through a connection that Snort 3 inspects. The attack doesn't require authentication or user interaction, making it accessible to any threat actor who can route traffic through an affected device.

When the Snort 3 engine crashes, packet inspection temporarily stops until the watchdog restarts it. During that window, malicious traffic could pass uninspected. The more concerning scenario involves CVE-2025-20359's data leakage capability—attackers could potentially extract fragments of network traffic or internal metadata from memory adjacent to allocated buffers.

This attack pattern differs from previous Cisco AsyncOS vulnerabilities that enabled full system compromise. The MIME flaws are disruptive rather than catastrophic, but organizations running high-availability security infrastructure should still prioritize remediation.

Which Products Are Affected?

According to Cisco's security advisory, the following products are vulnerable:

• Cisco Secure Firewall Threat Defense (FTD) Software version 7.0.0 and later with Snort 3 enabled
• Open-source Snort 3 prior to version 3.9.6.0
• Cisco IOS XE Software with Unified Threat Defense (UTD) configured
• Cisco Meraki MX appliances (MX67 through MX600 series and virtual variants)

Snort 3 must be actively running for the vulnerability to be exploitable. Devices using Snort 2 are not affected.

What Should Security Teams Do?

Cisco has released or scheduled fixes across affected product lines:

1. Update Snort 3 to version 3.9.6.0 or later
2. Apply FTD hotfixes through the Cisco Support Portal
3. Monitor Meraki dashboard for February 2026 firmware updates
4. Verify inspection resumes after applying patches—Cisco specifically recommends validating that packet inspection functions correctly post-update

There are no workarounds. Traffic filtering or intrusion policy adjustments won't mitigate these flaws because the vulnerability triggers during HTTP header parsing before rule evaluation occurs.

Why This Matters

Snort powers traffic inspection across millions of network security appliances worldwide. A flaw that can crash the detection engine—even temporarily—creates a window for attackers to slip malware, exfiltration traffic, or command-and-control communications past security controls.

The timing matters too. With Microsoft's February Patch Tuesday addressing six zero-days and FortiClientEMS patching a critical SQL injection this same week, security teams face competing priorities. These Snort 3 flaws may rank lower in severity than some peers, but organizations that depend on Cisco firewalls for perimeter defense shouldn't let them slide down the remediation queue.

Cisco tracks these issues under six internal bug IDs: CSCwo71401, CSCwq03467, CSCwq15864, CSCwq42141, CSCwq42153, and CSCwq42161. The original advisory published October 15, 2025, with the February 12, 2026 update marking version 1.1.

For the latest patch availability, check the Cisco Security Center or your product's support portal.