CVE-2025-20254
BaseFortify
Publication date: 2025-08-14
Last updated on: 2025-08-15
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | ios_xe | * |
| cisco | secure_firewall_threat_defense | * |
| cisco | ios | * |
| cisco | secure_firewall_adaptive_security_appliance | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-401 | The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Internet Key Exchange Version 2 (IKEv2) module of Cisco Secure Firewall ASA and FTD software. It is caused by improper parsing of IKEv2 packets, which allows an unauthenticated remote attacker to send specially crafted packets that trigger a memory leak. This memory leak can lead to system instability and denial of service (DoS) conditions.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can cause a denial of service by partially exhausting system memory, which may prevent the device from establishing new IKEv2 VPN sessions. Recovery from this condition requires a manual reboot of the affected device, potentially disrupting network security and connectivity.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should monitor for unusual or continuous streams of IKEv2 packets that could trigger the memory leak. Since exploitation causes system instability and requires a manual reboot to recover, an immediate step is to reboot the affected device if instability is detected. Additionally, consider applying any available patches or updates from Cisco once released to fix the improper parsing issue.