A critical vulnerability discovered in Cisco’s Secure Firewall Threat Defense Software has been identified as CVE-2025-20217, posing significant risks to network security infrastructure worldwide.
The vulnerability, affecting the Snort 3 Detection Engine, could allow unauthenticated remote attackers to launch denial of service (DoS) attacks against affected devices, potentially disrupting critical network operations.
| Attribute | Value | |
| CVE ID | CVE-2025-20217 | |
| Advisory ID | cisco-sa-ftd-dos-SvKhtjgt | |
| Severity | High (CVSS Base Score: 8.6) | |
| CWE Classification | CWE-835 (Loop with Unreachable Exit Condition) |
The vulnerability stems from incorrect processing of traffic inspected by the Snort 3 Detection Engine within Cisco’s Secure Firewall Threat Defense Software.
According to Cisco’s security advisory, an attacker can exploit this flaw by sending specially crafted traffic through the affected device, causing the system to enter an infinite loop during packet inspection.
The vulnerability requires no authentication and can be exploited remotely over the network, making it particularly concerning for organizations with internet-facing firewall deployments.
When successfully exploited, the attack causes the affected device to become unresponsive while trapped in an infinite processing loop, effectively creating a denial of service condition.
Fortunately, Cisco has implemented automatic recovery mechanisms through system watchdog functionality, which will restart the Snort process when the infinite loop condition is detected.
However, this restart process still results in temporary service disruption, potentially creating windows of vulnerability during the recovery period.
The vulnerability specifically affects Cisco devices running vulnerable releases of Secure FTD Software with intrusion policies enabled that utilize the Snort 3 engine.
Organizations can determine their exposure by checking whether Snort 3 is actively running on their Firepower Threat Defense systems using Cisco’s provided documentation.
Notably, the vulnerability does not affect several other Cisco security products, including Secure Firewall ASA Software, Secure Firewall Management Center Software, Cyber Vision Software, Meraki products, Umbrella Software, or open-source Snort implementations.
Cisco has released software updates addressing this vulnerability as part of their August 2025 security advisory bundle.
The company emphasizes that no workarounds are available, making immediate patching the only effective mitigation strategy.
Organizations using affected Cisco Secure Firewall systems should prioritize applying the available security updates to prevent potential exploitation.
Given the high CVSS score and the vulnerability’s potential for remote exploitation without authentication, security teams should treat this as a critical patching priority.
The disclosure reinforces the importance of maintaining current security patches and monitoring vendor security advisories for critical infrastructure components.
AWS Security Services: 10-Point Executive Checklist - Download for Free
Source link
