CVE-2026-20013
📋 TL;DR
A memory exhaustion vulnerability in Cisco ASA and FTD software's IKEv2 implementation allows unauthenticated remote attackers to cause denial of service by sending crafted IKEv2 packets. This affects organizations using Cisco Secure Firewall ASA Software or Cisco Secure FTD Software with IKEv2 enabled.
💻 Affected Systems
- Cisco Secure Firewall ASA Software
- Cisco Secure FTD Software
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete device crash requiring manual reload, disrupting all network traffic through the firewall and potentially causing cascading network outages.
Likely Case
Degraded firewall performance leading to packet loss, increased latency, and potential service disruption for internal systems.
If Mitigated
Minimal impact if IKEv2 is disabled or devices are not internet-facing with proper network segmentation.
🎯 Exploit Status
Crafting IKEv2 packets to trigger memory exhaustion is relatively straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to Cisco advisory for specific fixed versions
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ikev2-dos-eBueGdEG
Restart Required: Yes
Instructions:
1. Check current version with 'show version'. 2. Download appropriate fixed version from Cisco. 3. Follow Cisco upgrade procedures for ASA/FTD. 4. Reload device after upgrade.
🔧 Temporary Workarounds
Disable IKEv2
allDisable IKEv2 feature if not required, use IKEv1 instead
crypto ikev2 disable outside
Restrict IKEv2 Access
allLimit IKEv2 connections to trusted IPs using ACLs
access-list IKEV2-ACL permit ip host <trusted_ip> any
crypto map MYMAP 10 match address IKEV2-ACL
🧯 If You Can't Patch
- Implement strict network ACLs to limit IKEv2 traffic to trusted sources only
- Monitor device memory usage and implement alerting for abnormal IKEv2 traffic patterns
🔍 How to Verify
Check if Vulnerable:
Check if IKEv2 is enabled: 'show running-config | include ikev2' and verify version against Cisco advisoryCheck Version:
show versionVerify Fix Applied:
Verify upgraded to fixed version: 'show version' and confirm IKEv2 functionality after patch📡 Detection & Monitoring
Log Indicators:
- High memory usage alerts
- IKEv2 session failures
- Device reload events
- ASA/FTD crash logs
Network Indicators:
- Unusual IKEv2 packet spikes from single sources
- IKEv2 traffic to non-VPN endpoints
SIEM Query:
source="asa_ftd_logs" AND ("IKEv2" OR "memory" OR "reload") AND severity>=4