CVE-2025-20239
BaseFortify
Publication date: 2025-08-14
Last updated on: 2025-08-15
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | ios_xe | * |
| cisco | secure_firewall_threat_defense | * |
| cisco | ios | * |
| cisco | secure_firewall_adaptive_security_appliance | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-401 | The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Internet Key Exchange Version 2 (IKEv2) feature of certain Cisco software products. It allows an unauthenticated, remote attacker to send specially crafted IKEv2 packets that trigger a memory leak. This memory leak can cause denial of service (DoS) conditions by making the device unstable or causing it to reload unexpectedly.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to denial of service conditions. For Cisco IOS and IOS XE Software, the device may reload unexpectedly, causing service interruptions. For Cisco ASA and FTD Software, system memory can be partially exhausted, leading to instability and inability to establish new IKEv2 VPN sessions. Recovery requires a manual reboot of the affected device.
What immediate steps should I take to mitigate this vulnerability?
Immediate steps include monitoring for unusual IKEv2 traffic that could indicate exploitation attempts and preparing to manually reboot affected devices if instability or denial of service conditions occur. Applying any available patches or updates from Cisco addressing this vulnerability is also recommended once released.