CVE-2025-20182

Q: What is the severity of CVE-2025-20182?

CVE-2025-20182 has a CVSS score of 8.6 (HIGH). An unauthenticated remote attacker can cause affected Cisco network devices to crash and reload by sending specially crafted IKEv2 protocol messages. This vulnerability affects Cisco ASA, FTD, IOS, and IOS XE software due to insufficient input validation in IKEv2 processing.

8.6 HIGH

Denial of Service

📋 TL;DR

An unauthenticated remote attacker can cause affected Cisco network devices to crash and reload by sending specially crafted IKEv2 protocol messages. This vulnerability affects Cisco ASA, FTD, IOS, and IOS XE software due to insufficient input validation in IKEv2 processing.

💻 Affected Systems

Products:

Cisco Adaptive Security Appliance (ASA) Software
Cisco Firepower Threat Defense (FTD) Software
Cisco IOS Software
Cisco IOS XE Software

Versions: Multiple versions across product lines - check Cisco advisory for specific affected versions

Operating Systems: Cisco proprietary OS

Default Config Vulnerable: ⚠️ Yes

Notes: Devices with IKEv2 enabled are vulnerable. IKEv2 is commonly used for VPN connections.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service with device reloads causing network outages and service disruption until manual intervention.

🟠

Likely Case

Intermittent device crashes leading to service interruptions and potential traffic loss during reload cycles.

🟢

If Mitigated

Limited impact with proper network segmentation and IKEv2 traffic filtering in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted IKEv2 packets to vulnerable devices.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Varies by product - refer to Cisco advisory for specific fixed versions

Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-multiprod-ikev2-dos-gPctUqv2

Restart Required: Yes

Instructions:

1. Review Cisco advisory for affected versions. 2. Download appropriate fixed software version for your device. 3. Schedule maintenance window. 4. Backup configuration. 5. Apply update following Cisco upgrade procedures. 6. Verify functionality post-update.

🔧 Temporary Workarounds

Block IKEv2 traffic

all

Implement access control lists to block IKEv2 traffic from untrusted sources

access-list OUTSIDE extended deny udp any any eq 500
access-list OUTSIDE extended deny udp any any eq 4500

Disable IKEv2 if not needed

all

Configure devices to use IKEv1 only if IKEv2 is not required

crypto ikev2 disable outside

🧯 If You Can't Patch

Implement strict network segmentation to limit IKEv2 traffic to trusted sources only
Deploy intrusion prevention systems with signatures for IKEv2 protocol anomalies

🔍 How to Verify

Check if Vulnerable:

Check device software version against affected versions listed in Cisco advisory

Check Version:

show version

Verify Fix Applied:

Verify installed software version matches or exceeds fixed versions in advisory

📡 Detection & Monitoring

Log Indicators:

Unexpected device reloads
IKEv2 protocol errors
High volume of IKEv2 connection attempts

Network Indicators:

Spike in IKEv2 traffic from single source
Malformed IKEv2 packets
Port 500/4500 traffic anomalies

SIEM Query:

source="cisco-asa" (reload OR crash) OR (IKEv2 AND error)

📊 Metadata

CVE ID: CVE-2025-20182

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE: CWE-787

EPSS Score: 0.11% exploit probability (30.3th percentile)

Published: May 7, 2025

Last Updated: August 1, 2025

🔗 References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-multiprod-ikev2-dos-gPctUqv2 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco

Adaptive Security Appliance Software by Cisco