CVE-2025-20127
BaseFortify
Publication date: 2025-08-14
Last updated on: 2025-08-25
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | firepower_threat_defense | 7.4.0 |
| cisco | firepower_threat_defense | 7.4.1 |
| cisco | firepower_threat_defense | 7.4.1.1 |
| cisco | firepower_threat_defense | 7.4.2 |
| cisco | firepower_threat_defense | 7.4.2.1 |
| cisco | firepower_threat_defense | 7.6.0 |
| cisco | secure_firewall_3105 | * |
| cisco | secure_firewall_3110 | * |
| cisco | secure_firewall_3120 | * |
| cisco | secure_firewall_3130 | * |
| cisco | secure_firewall_3140 | * |
| cisco | secure_firewall_4215 | * |
| cisco | secure_firewall_4225 | * |
| cisco | secure_firewall_4245 | * |
| cisco | adaptive_security_appliance_software | 9.20.1 |
| cisco | adaptive_security_appliance_software | 9.20.1.5 |
| cisco | adaptive_security_appliance_software | 9.20.2 |
| cisco | adaptive_security_appliance_software | 9.20.2.10 |
| cisco | adaptive_security_appliance_software | 9.20.2.21 |
| cisco | adaptive_security_appliance_software | 9.20.2.22 |
| cisco | adaptive_security_appliance_software | 9.20.3 |
| cisco | adaptive_security_appliance_software | 9.20.3.4 |
| cisco | adaptive_security_appliance_software | 9.20.3.7 |
| cisco | adaptive_security_appliance_software | 9.22.1.1 |
| cisco | secure_firewall_3105 | * |
| cisco | secure_firewall_3110 | * |
| cisco | secure_firewall_3120 | * |
| cisco | secure_firewall_3130 | * |
| cisco | secure_firewall_3140 | * |
| cisco | secure_firewall_4215 | * |
| cisco | secure_firewall_4225 | * |
| cisco | secure_firewall_4245 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the TLS 1.3 implementation for the cipher TLS_CHACHA20_POLY1305_SHA256 on Cisco Secure Firewall ASA and FTD Software for Firepower 3100 and 4200 Series devices. An authenticated remote attacker can exploit it by sending many TLS 1.3 connections using this specific cipher, causing the device to consume excessive resources. This leads to a denial of service (DoS) condition where the device stops accepting any new SSL/TLS or VPN connections until it is reloaded.
How can this vulnerability impact me? :
If exploited, this vulnerability can cause a denial of service on affected Cisco firewall devices, preventing them from accepting any new encrypted SSL/TLS or VPN connections. This disruption can impact network security and availability, potentially blocking legitimate users from accessing resources or services protected by these devices until the device is manually reloaded.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, avoid using the TLS 1.3 Cipher TLS_CHACHA20_POLY1305_SHA256 on affected Cisco Secure Firewall ASA and FTD devices. Monitor for excessive TLS 1.3 connections using this cipher and consider reloading the device if it stops accepting new encrypted connections. Applying any available software updates or patches from Cisco addressing this issue is also recommended.