CVE-2025-20136: 
Cisco Adaptive Security Appliance (ASA) vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-20136) was discovered in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software. The vulnerability was disclosed on August 14, 2025, and affects the IPv4 and IPv6 Network Address Translation (NAT) DNS inspection functionality. This security flaw received a CVSS base score of 8.6 (High) and is identified as CWE-835, which relates to an infinite loop condition (Cisco Advisory, NVD).

The vulnerability stems from an infinite loop condition that occurs when affected devices process DNS packets with DNS inspection enabled and the device is configured for NAT44, NAT64, or NAT46. The issue specifically affects devices that have both NAT and DNS inspection features enabled. The vulnerability can be identified by using the 'show running-config nat' command to check for NAT configuration and 'show running-config policy-map | include inspect dns' command to verify DNS inspection configuration (Cisco Advisory).

A successful exploitation of this vulnerability results in a denial of service (DoS) condition, causing the affected device to reload unexpectedly. This can lead to service disruption and system unavailability, potentially affecting network operations and security capabilities of the deployed Cisco security appliances (Cisco Advisory).

Cisco has released software updates that address this vulnerability. There are no workarounds available for this vulnerability. Customers with service contracts can obtain security fixes through their usual update channels. Organizations are advised to regularly consult Cisco advisories and ensure their devices have sufficient memory and compatible hardware configurations for the new releases (Cisco Advisory).