CVE-2025-20222
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to cause a denial of service by sending specially crafted IPv6 packets over IPsec VPN connections to Cisco ASA and FTD devices. The improper processing of IPv6 packets in the RADIUS proxy feature triggers a device reload, disrupting network services. Organizations using Cisco Secure Firewall ASA Software or FTD Software with IPsec VPN and RADIUS proxy features are affected.
💻 Affected Systems
- Cisco Secure Firewall Adaptive Security Appliance (ASA) Software
- Cisco Secure Firewall Threat Defense (FTD) Software
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete network outage as firewall devices reload, disrupting all traffic passing through them including VPN connections, internet access, and internal network segmentation.
Likely Case
Intermittent service disruptions during device reloads, causing VPN disconnections and temporary loss of firewall protection until devices restart.
If Mitigated
Minimal impact if devices are patched or workarounds are implemented, with potential for brief service interruptions during maintenance windows.
🎯 Exploit Status
Exploitation requires sending IPv6 packets over established IPsec VPN connections. No authentication required once VPN tunnel is established.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Multiple fixed versions available - see Cisco advisory for specific versions
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fp2k-IPsec-dos-tjwgdZCO
Restart Required: Yes
Instructions:
1. Review Cisco advisory for specific fixed versions for your device model. 2. Download appropriate firmware from Cisco Software Center. 3. Backup current configuration. 4. Apply firmware update following Cisco upgrade procedures. 5. Verify successful upgrade and restore functionality.
🔧 Temporary Workarounds
Disable IPv6 on IPsec VPN connections
allPrevent IPv6 traffic from traversing IPsec VPN tunnels to block exploitation vectors
no ipv6 enable
no tunnel ipv6
Disable RADIUS proxy feature
allRemove the vulnerable component if not required for operations
no aaa-server radius protocol radius
no aaa authentication login default group radius
🧯 If You Can't Patch
- Implement network segmentation to restrict access to VPN endpoints
- Deploy intrusion prevention systems to detect and block malicious IPv6 packets
🔍 How to Verify
Check if Vulnerable:
Check device configuration for IPsec VPN with RADIUS proxy enabled and verify software version against Cisco advisoryCheck Version:
show version | include VersionVerify Fix Applied:
Verify software version is updated to fixed version listed in Cisco advisory and test IPv6 packet processing📡 Detection & Monitoring
Log Indicators:
- Unexpected device reloads
- RADIUS proxy process crashes
- IPsec VPN connection drops
Network Indicators:
- Sudden increase in IPv6 packets to VPN endpoints
- Multiple VPN tunnel re-establishments
SIEM Query:
source="cisco-asa" AND (event_type="reload" OR event_type="crash") AND process="radius_proxy"