Cisco Meraki MX and Z Series AnyConnect VPN with Client Certificate Authentication Denial of Service Vulnerability
TL;DR 📌
- A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition in the Cisco AnyConnect service on an affected device. This vulnerability is due to variable initialization errors when an SSL VPN session is established. An attacker…
- No fixed release listed yet; apply mitigations and monitor.
- Workarounds are documented in the advisory.
- CVEs: CVE-2025-20271.
What happened 🕵️♂️
A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition in the Cisco AnyConnect service on an affected device.
This vulnerability is due to variable initialization errors when an SSL VPN session is established. An attacker could exploit this vulnerability by sending a sequence of crafted HTTPS requests to an affected device. A successful exploit could allow the attacker to cause the Cisco AnyConnect VPN server to restart, resulting in the failure of all established SSL VPN sessions and forcing remote users to initiate a new VPN connection and re-authenticate. A sustained attack could prevent new SSL VPN connections from being established, effectively making the Cisco AnyConnect VPN service unavailable for all legitimate users.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Affected products 🖥️
This vulnerability affects the following Cisco Meraki products if they are running a vulnerable release of Cisco Meraki MX firmware and have Cisco AnyConnect VPN with client certificate authentication enabled:
MX64 MX64W MX65 MX65W MX67 MX67C MX67W
MX68 MX68CW MX68W MX75 MX84 MX85 MX95
MX100 MX105 MX250 MX400 MX450 MX600 vMX
Z3 Z3C Z4 Z4C
Note: Cisco AnyConnect VPN is supported on Cisco Meraki MX and Cisco Meraki Z Series devices that run Cisco Meraki MX firmware releases 16.2 and later, except for Cisco Meraki MX64 and MX65, which support Cisco AnyConnect VPN only if they are running Cisco Meraki MX firmware releases 17.6 and later.
For information about which Cisco software releases are vulnerable, see the Fixed Software ["#fs"] section of this advisory. Determine the Device Configuration To determine whether Cisco AnyConnect VPN with client certificate authentication is enabled on a Cisco Meraki MX or Cisco Meraki Z Series device, complete the following steps:
Log in to the Dashboard. The second step differs slightly between platforms and license levels. For Cisco Meraki MX devices, choose Security & SD-WAN > Configure > Client VPN in the combined view. For Cisco Meraki Z Series devices, choose Teleworker Gateway > Configure > Client VPN in the combined view.
Choose the AnyConnect Settings tab. If the Enabled radio button is selected, the device is configured to support Cisco AnyConnect VPN and the device is potentially affected by the vulnerability that is described in this advisory. Continue to Step 4. If the Cisco AnyConnect Settings tab is not displayed, or if the Disabled radio button is selected, the device is not impacted by this vulnerability.
Scroll down to the Authentication & policy section. If Certificate authentication is set to Enabled, client certificate authentication is enabled and the device is affected by this vulnerability. If it is set to Disabled, the device is not impacted by this vulnerability.
Additional Information Cisco Meraki MX and Cisco Meraki Z Series devices support the following two VPN services for remote network access:
Client VPN, which uses Layer 2 Tunneling Protocol (L2TP) or IPsec tunneling protocols Cisco AnyConnect VPN, which uses TLS and Datagram TLS (DTLS) protocols and is commonly referred to as SSL VPN
On both Cisco Meraki MX and Cisco Meraki Z Series devices, Client VPN (L2TP/IPsec) and Cisco AnyConnect VPN (SSL) services can be enabled simultaneously.
Note: This vulnerability resides in the establishment of SSL VPN sessions, so it affects only devices that are configured with Cisco AnyConnect VPN. Devices that are configured to provide remote network access exclusively through Client VPN (L2TP/IPsec) are not affected by this vulnerability.
Fixed software 🔧
Upgrade to the first fixed release in your train (or later):
| Release / Product | First Fixed Release | Notes |
|---|---|---|
| 16.2 | Migrate to a fixed release. | |
| 17 | Migrate to a fixed release. | |
| 18.1xx | 18.107.13 | |
| 18.2xx | 18.211.6 | |
| 19.1 | 19.1.8 | |
| 1.0 | Initial public release. |
Workarounds 🧯
There are no workarounds that address this vulnerability.
Risk in context 🎯
Use vendor CVSS for prioritization. Consider exposure and asset criticality.
Fast facts ⚡
- Advisory: cisco-sa-meraki-mx-vpn-dos-sM5GCfm7
- Initial release: 2025-06-18T16:00:00 UTC
- Last updated: 2025-06-18T16:00:00 UTC
For leadership 🧭
Executive summary. Risk is High (CVSS 8.6) for Cisco, Cisco Meraki MX Firmware. Vendor fixes are available; prioritize upgrade within 7 days based on environment risk.
Why it matters (exposure drivers):
- Potential service impact and security exposure depend on deployment topology and access paths.
- Treat internet-exposed or multi-tenant management nodes as higher risk.
- Ensure monitoring for abnormal auth/config events until upgrades complete.
Remediation & timing:
- Upgrade to the first fixed release per the table above; schedule an approved change window within 7 days.
- Change risk: low-to-moderate (standard vendor patch). Validate backups and rollback plan.
Now / Next / Later:
- Now: Confirm exposure, identify affected versions, and enable monitoring/alerts.
- Next: Patch according to the fixed software table; verify service health post-change.
- Later: Add control checks to build pipeline/CMDB to block drift to vulnerable trains.