Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Network Address Translation DNS Inspection Denial of Service Vulnerability
TL;DR 📌
A high-severity vulnerability has been identified in Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) Software, specifically affecting the Network Address Translation (NAT) DNS inspection feature. An unauthenticated remote attacker could exploit this vulnerability to cause a denial of service (DoS) condition by sending crafted DNS packets. Cisco has released software updates to address this issue, but no workarounds are available.
What happened 🕵️♂️
A vulnerability exists in the DNS inspection function for NAT configurations in Cisco Secure Firewall ASA and FTD Software. This flaw allows an unauthenticated remote attacker to send specially crafted DNS packets that trigger an infinite loop, causing the device to reload unexpectedly and resulting in a denial of service (DoS) condition. The vulnerability is due to the processing of DNS packets when DNS inspection is enabled and NAT is configured.
Affected products 🖥️
- Cisco Secure Firewall Adaptive Security Appliance (ASA) Software
- Cisco Secure Firewall Threat Defense (FTD) Software
Devices running these software versions with both NAT and DNS inspection features enabled are vulnerable.
Fixed software 🔧
Upgrade to the first fixed release in your train (or later):
| Release / Product | First Fixed Release | Notes |
|---|---|---|
| 1.0 | Initial public release. |
Workarounds 🧯
There are no workarounds available to mitigate this vulnerability.
Risk in context 🎯
The vulnerability has a CVSS score of 8.6, categorizing it as High severity. The primary exposure driver is that the vulnerability can be exploited remotely without authentication, leading to potential service disruption. Given the lack of workarounds, immediate patching is essential to mitigate the risk.
Fast facts ⚡
- Vulnerability ID: CVE-2025-20136
- CVSS Score: 8.6 (High)
- Impact: Denial of Service (DoS)
- Exploitation: Requires crafted DNS packets
- Workarounds: None available
For leadership 🧭
This vulnerability presents a High risk to our network infrastructure, with a CVSS score of 8.6. It can be exploited remotely without authentication, potentially leading to significant service disruptions. Immediate remediation is required, and we recommend patching affected devices within the next 7 days. The operational impact involves a brief maintenance window with no expected configuration drift.
Now: Identify affected devices and schedule patching.
Next: Apply the necessary software updates as they become available.
Later: Review network configurations to ensure compliance and security best practices.
Given the nature of this vulnerability, prompt action is crucial to maintain the integrity and availability of our network services.