CVE-2025-20239: 
Cisco Adaptive Security Appliance (ASA) vulnerability analysis and mitigation

A vulnerability (CVE-2025-20239) has been identified in the Internet Key Exchange Version 2 (IKEv2) feature of multiple Cisco products, including Cisco IOS Software, IOS XE Software, Secure Firewall Adaptive Security Appliance (ASA) Software, and Secure Firewall Threat Defense (FTD) Software. The vulnerability was discovered during internal security testing by Jason Crowder of the Cisco Advanced Security Initiatives Group (ASIG) and was publicly disclosed on August 14, 2025 (Cisco Advisory).

The vulnerability stems from improper processing of IKEv2 packets in affected systems. It has been assigned a CVSS Base Score of 8.6 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H. The vulnerability is associated with CWE-401 (Memory Leak) and affects systems with the IKEv2 VPN feature enabled (Cisco Advisory).

The impact varies depending on the affected product. For Cisco IOS and IOS XE Software, successful exploitation could cause the device to reload unexpectedly. For Cisco ASA and FTD Software, it could lead to partial system memory exhaustion, causing system instability and preventing the establishment of new IKEv2 VPN sessions. Recovery from this condition requires a manual reboot of the device (Cisco Advisory).

Cisco has released software updates that address this vulnerability. There are no workarounds available for this vulnerability. Organizations are advised to apply appropriate updates provided by Cisco to vulnerable systems immediately after appropriate testing (Cisco Advisory).