CVE-2025-20136
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to cause Cisco ASA and FTD firewalls to crash and reload by sending specially crafted DNS packets. It affects devices configured with NAT44, NAT64, or NAT46 and DNS inspection enabled. The result is a denial of service that disrupts network traffic.
💻 Affected Systems
- Cisco Secure Firewall Adaptive Security Appliance (ASA) Software
- Cisco Secure Firewall Threat Defense (FTD) Software
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Firewall becomes completely unavailable, causing network outage and disrupting all traffic passing through the device until it reboots.
Likely Case
Intermittent firewall crashes causing service disruptions, packet loss, and connectivity issues for users behind the firewall.
If Mitigated
Minimal impact if workarounds are implemented or vulnerable configurations are not in use.
🎯 Exploit Status
Exploitation requires sending crafted DNS packets that match static NAT rules with DNS inspection enabled.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Cisco advisory for specific fixed releases
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-nat-dns-dos-bqhynHTM
Restart Required: Yes
Instructions:
1. Review Cisco advisory for fixed versions. 2. Download appropriate patch from Cisco. 3. Apply patch following Cisco upgrade procedures. 4. Reboot device to activate fix.
🔧 Temporary Workarounds
Disable DNS inspection on static NAT rules
allRemove DNS inspection from static NAT configurations to prevent infinite loop condition
no dns inspect
clear configure dns inspect on affected NAT rules
Implement access control lists
allRestrict DNS traffic to trusted sources only
access-list DNS-TRAFFIC permit udp any any eq 53
access-group DNS-TRAFFIC in interface outside
🧯 If You Can't Patch
- Disable DNS inspection on all static NAT rules immediately
- Implement strict ACLs to limit DNS traffic to authorized sources only
🔍 How to Verify
Check if Vulnerable:
Check if device has NAT44/NAT64/NAT46 configured with DNS inspection enabled on static NAT rulesCheck Version:
show versionVerify Fix Applied:
Verify patch version matches fixed releases in Cisco advisory and test with DNS traffic📡 Detection & Monitoring
Log Indicators:
- Firewall reload events
- High CPU usage alerts
- DNS inspection process crashes
Network Indicators:
- Unusual DNS traffic patterns to firewall
- Firewall becoming unresponsive
SIEM Query:
source="cisco-asa" AND (event_id=500004 OR message="Reloading") OR source="cisco-ftd" AND severity=CRITICAL