CVE-2025-20225: 
Cisco Adaptive Security Appliance (ASA) vulnerability analysis and mitigation

A vulnerability (CVE-2025-20225) was discovered in the Internet Key Exchange Version 2 (IKEv2) feature of multiple Cisco products including IOS Software, IOS XE Software, Secure Firewall Adaptive Security Appliance (ASA) Software, and Secure Firewall Threat Defense (FTD) Software. The vulnerability was disclosed on August 14, 2025, and could allow an unauthenticated, remote attacker to trigger a memory leak, resulting in a denial of service (DoS) condition (Cisco Advisory, NVD).

The vulnerability stems from improper processing of IKEv2 packets. It has been assigned a CVSS Base Score of 5.8 (Medium) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L. The vulnerability is associated with CWE-401 (Missing Release of Memory after Effective Lifetime) (NVD, Cisco Advisory).

The impact varies depending on the affected product. For Cisco IOS and IOS XE Software, a successful exploit could cause the device to reload unexpectedly. For Cisco ASA and FTD Software, exploitation could lead to partial system memory exhaustion, causing system instability and preventing the establishment of new IKEv2 VPN sessions. Recovery requires a manual reboot of the device (Cisco Advisory).

Cisco has released software updates that address this vulnerability. There are no workarounds available. Customers with service contracts can obtain security fixes through their regular update channels. The vulnerability was discovered during internal security testing by Jason Crowder of the Cisco Advanced Security Initiatives Group (ASIG) (Cisco Advisory).

The vulnerability was part of Cisco's August 2025 security advisory bundle, which included multiple other security fixes. Security researchers and media outlets have highlighted this vulnerability among other high-severity issues addressed in the bundle (Hacker News).