CVE-2025-20222: 
Cisco Firepower Threat Defense (FTD) vulnerability analysis and mitigation

A vulnerability (CVE-2025-20222) was discovered in the RADIUS proxy feature for the IPsec VPN feature of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software. The vulnerability was disclosed on August 14, 2025, and received a CVSS base score of 8.6 (High). This security flaw specifically affects Cisco Firepower 2100 Series Firewalls running vulnerable releases of Cisco Secure Firewall ASA Software or Secure FTD Software (Cisco Advisory).

The vulnerability stems from improper processing of IPv6 packets in systems where IPsec VPN with Internet Key Exchange version 1 (IKEv1) or IKEv2 is enabled, IPv6 is enabled on the interface receiving RADIUS traffic, and an access control list (ACL) is configured to permit IP traffic. The vulnerability has been classified as CWE-120 (Buffer Copy without Checking Size of Input). The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (Cisco Advisory).

A successful exploitation of this vulnerability could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. The attack could trigger a reload of the affected device, resulting in service disruption (NVD).

Cisco has released software updates that address this vulnerability. There are no workarounds available for this vulnerability. Customers with service contracts can obtain security fixes through their regular update channels. Those without service contracts should contact the Cisco Technical Assistance Center (TAC) (Cisco Advisory).

The vulnerability was part of Cisco's August 2025 Semiannual Cisco Secure Firewall ASA, Secure FMC, and Secure FTD Software Security Advisory Bundled Publication, which included a total of 21 security advisories addressing 29 vulnerabilities (Hacker News).