CVE-2025-20224
BaseFortify
Publication date: 2025-08-14
Last updated on: 2025-08-15
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | ios_xe | * |
| cisco | secure_firewall_threat_defense | * |
| cisco | ios | * |
| cisco | secure_firewall_adaptive_security_appliance | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-401 | The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Internet Key Exchange Version 2 (IKEv2) module of Cisco Secure Firewall ASA and FTD Software. It is caused by improper parsing of IKEv2 packets, which allows an unauthenticated remote attacker to send specially crafted IKEv2 packets continuously. This triggers a memory leak that can partially exhaust system memory, leading to system instability and denial of service.
How can this vulnerability impact me? :
The impact of this vulnerability is a denial of service (DoS) condition. An attacker exploiting this flaw can cause the affected device to become unstable and unable to establish new IKEv2 VPN sessions. Recovery requires a manual reboot of the device, which can disrupt network security and connectivity.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should monitor for unusual memory usage or instability related to IKEv2 VPN sessions on affected Cisco Secure Firewall ASA and FTD devices. If a denial of service condition occurs, a manual reboot of the device is required to recover. Additionally, consider limiting exposure to untrusted networks and applying any available software updates or patches from Cisco once released.