CVE-2025-20224: 
Cisco Adaptive Security Appliance (ASA) vulnerability analysis and mitigation

A vulnerability (CVE-2025-20224) exists in the Internet Key Exchange Version 2 (IKEv2) module of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software. This vulnerability was discovered during internal security testing by Jason Crowder of the Cisco Advanced Security Initiatives Group (ASIG) and was publicly disclosed on August 14, 2025 (Cisco Advisory).

The vulnerability stems from improper parsing of IKEv2 packets in the affected systems. It has been assigned a CVSS Base Score of 5.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L. The vulnerability is tracked under CWE-401 (Missing Release of Memory after Effective Lifetime) (NVD).

A successful exploitation of this vulnerability could allow an unauthenticated, remote attacker to partially exhaust system memory, resulting in system instability. The specific impact includes the inability to establish new IKEv2 VPN sessions, requiring a manual reboot of the device to recover from this condition (Cisco Advisory).

Cisco has released software updates that address this vulnerability. There are no workarounds available for this vulnerability. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels (Cisco Advisory).

The vulnerability has been included in Cisco's August 2025 release of the Cisco Secure Firewall ASA, Secure FMC, and Secure FTD Software Security Advisory Bundled Publication, which addressed multiple security issues (Hacker News).