CVE-2025-20136
BaseFortify
Publication date: 2025-08-14
Last updated on: 2025-08-15
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | secure_firewall_threat_defense | * |
| cisco | secure_firewall_adaptive_security_appliance | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-835 | The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the function that performs IPv4 and IPv6 Network Address Translation (NAT) DNS inspection on Cisco Secure Firewall ASA and FTD devices. It is caused by an infinite loop condition triggered when processing DNS packets with DNS inspection enabled and NAT44, NAT64, or NAT46 configured. An unauthenticated remote attacker can exploit this by sending specially crafted DNS packets that match a static NAT rule, causing the device to enter an infinite loop and reload unexpectedly.
How can this vulnerability impact me? :
Exploiting this vulnerability can cause the affected Cisco Secure Firewall ASA or FTD device to reload unexpectedly, resulting in a denial of service (DoS) condition. This means network traffic could be disrupted, potentially causing downtime and loss of availability for services protected by the device.