CVE-2025-20252
BaseFortify
Publication date: 2025-08-14
Last updated on: 2025-08-15
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | ios_xe | * |
| cisco | secure_firewall_threat_defense | * |
| cisco | ios | * |
| cisco | secure_firewall_adaptive_security_appliance | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-401 | The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Internet Key Exchange Version 2 (IKEv2) module of Cisco Secure Firewall ASA and FTD software. It allows an unauthenticated remote attacker to send specially crafted IKEv2 packets that cause a memory leak. This memory leak can lead to system instability and denial of service by exhausting system memory, preventing new IKEv2 VPN sessions from being established until the device is manually rebooted.
How can this vulnerability impact me? :
The impact of this vulnerability is a denial of service (DoS) condition on affected Cisco firewall devices. An attacker can cause the device to become unstable and unable to establish new VPN sessions by exhausting system memory. Recovery requires a manual reboot, which can disrupt network security and connectivity.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, avoid allowing continuous streams of crafted IKEv2 packets to the affected device. If the device becomes unstable or unable to establish new IKEv2 VPN sessions due to memory exhaustion, perform a manual reboot to recover the system. Additionally, monitor for unusual IKEv2 traffic patterns that could indicate exploitation attempts.