The vulnerability with code CVE-2022-20866 is caused by a logic error caused by storing the RSA key in memory on a hardware platform that performs hardware-based encryption. A remote threat actor can exploit the vulnerability to execute a Lenstra Side-Channel attack and gain access to the RSA key. A compromised RSA Private Key can be used to impersonate a device running Cisco ASA Software or Cisco FTD Software or to decrypt device traffic.
Cisco stated that the vulnerability only affects Cisco ASA Software 9.16.1 and later versions, Cisco FTD Software 7.0.0 and later versions, and has released security updates that fix the vulnerability. In this context, it is recommended that users using vulnerable Cisco ASA and FTD software versions immediately apply the published updates so that they are not the target of attacks that can be carried out using the vulnerability.