Cisco Systems has issued a high-priority security advisory addressing multiple critical vulnerabilities in the Internet Key Exchange Version 2 (IKEv2) feature across its networking and security product portfolio.
Published on August 14, 2025, the advisory warns of six separate vulnerabilities that could enable unauthenticated remote attackers to launch denial-of-service attacks against affected devices, potentially causing system crashes and service disruptions.
Critical Flaws Enable Remote DoS
The vulnerabilities, tracked under CVE identifiers CVE-2025-20224, CVE-2025-20225, CVE-2025-20239, CVE-2025-20252, CVE-2025-20253, and CVE-2025-20254, stem from improper processing of IKEv2 packets within Cisco’s software implementations.
The most severe vulnerability, CVE-2025-20253, carries a CVSS base score of 8.6, indicating high severity with the potential for significant impact on affected systems.
These flaws present several attack vectors and potential impacts:
- Attack Method: Attackers can exploit the IKEv2 protocol by sending specially crafted packets to vulnerable devices.
- Resource Exhaustion: Successful exploitation can result in infinite loops that exhaust system resources.
- Memory Issues: Attacks may trigger memory leaks leading to system instability.
- IOS/IOS XE Impact: For Cisco IOS and IOS XE Software, attacks could force immediate device restarts.
- ASA/FTD Impact: Cisco Secure Firewall ASA and FTD Software may experience partial memory exhaustion, preventing new VPN session establishment and requiring manual system reboots for recovery.
The vulnerabilities are particularly concerning because they require no authentication and can be exploited remotely over network connections.
Cisco’s Product Security Incident Response Team has confirmed that while no public exploitation has been observed, the technical details provided in the advisory could potentially be leveraged by malicious actors.
Multiple Products Affected, Detection Available
The vulnerabilities impact multiple Cisco product families, including IOS Software, IOS XE Software, Secure Firewall Adaptive Security Appliance (ASA) Software, and Secure Firewall Threat Defense (FTD) Software.
However, the scope varies by specific CVE, with some affecting all four product lines while others are limited to ASA and FTD systems only.
For organizations running potentially affected systems, Cisco has provided detailed detection methods. IOS and IOS XE users can check for vulnerability exposure using the “show udp | include 500” command to identify if IKE processing is active, followed by “show crypto map” to confirm IKEv2 usage.
For ASA and FTD deployments, administrators should use “show running-config crypto ikev2 | include enable” to determine if IKEv2 is enabled on any interfaces.
Notably, the vulnerabilities do not affect Cisco’s IOS XR Software, Meraki products, NX-OS Software, or Secure Firewall Management Center (FMC) Software, limiting the scope of potential impact across Cisco’s broader product ecosystem.
Updates Available, No Workarounds
Cisco has released comprehensive software updates addressing all identified vulnerabilities, making patches available through standard support channels for customers with active service contracts.
The company emphasizes that no workarounds exist for these vulnerabilities, making software updates the only effective mitigation strategy.
The networking giant has deployed its Software Checker tool to help customers identify vulnerable releases and determine appropriate upgrade paths.
Organizations are strongly advised to prioritize these updates given the high severity ratings and the lack of alternative protective measures.
Customers without service contracts can obtain necessary patches by contacting Cisco’s Technical Assistance Center with proof of the security advisory as evidence of entitlement to free security updates.
AWS Security Services: 10-Point Executive Checklist - Download for Free
Source link
