Cisco IOS, IOS XE, Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerabilities

🚨 SEVERITY: HIGH — CVSS 8.6 Security Advisory

TL;DR 📌

Cisco has identified multiple high-severity vulnerabilities in the IKEv2 feature of Cisco IOS, IOS XE, Secure Firewall ASA, and Secure Firewall FTD software that could allow unauthenticated remote attackers to trigger denial of service (DoS) conditions. Software updates are available to address these vulnerabilities.

What happened 🕵️‍♂️

Cisco has released an advisory detailing several vulnerabilities in the Internet Key Exchange Version 2 (IKEv2) feature across various Cisco software platforms. These vulnerabilities can be exploited by unauthenticated remote attackers to cause devices to reload or trigger memory leaks, leading to a denial of service condition.

Affected products 🖥️

The vulnerabilities affect the following Cisco products when the IKEv2 VPN feature is enabled:

  • Cisco IOS Software
  • Cisco IOS XE Software
  • Cisco Secure Firewall Adaptive Security Appliance (ASA) Software
  • Cisco Secure Firewall Threat Defense (FTD) Software

Note: The Group Encrypted Transport VPN (GET VPN) feature is not affected.

Fixed software 🔧

Upgrade to the first fixed release in your train (or later):

Release / Product First Fixed Release Notes
1.0 Initial public release.

Workarounds 🧯

There are no workarounds available to mitigate these vulnerabilities.

Risk in context 🎯

The highest CVSS score for these vulnerabilities is 8.6, categorizing them as High severity. The vulnerabilities are exploitable from the internet without authentication, allowing attackers to potentially disrupt service availability. Immediate patching is recommended to mitigate risks.

Fast facts ⚡

  • Vulnerabilities: CVE-2025-20224, CVE-2025-20225, CVE-2025-20239, CVE-2025-20252, CVE-2025-20253, CVE-2025-20254
  • Severity: Highest CVSS score of 8.6 (High)
  • Impact: Denial of service conditions
  • Exploitation: Unauthenticated remote access required
  • Workarounds: None available

For leadership 🧭

Cisco has identified multiple high-severity vulnerabilities in its IKEv2 feature, with a risk rating of High (CVSS 8.6). These vulnerabilities can be exploited remotely without authentication, potentially leading to service disruptions. Immediate remediation is crucial; organizations should patch affected systems within 7 days to mitigate risks. The operational impact is expected to be minimal, with brief maintenance windows and no anticipated configuration drift.

Now: Review and identify affected systems.
Next: Patch systems within 7 days.
Later: Monitor for any unusual activity and ensure compliance with security policies.