CVE-2025-20252: 
Cisco Adaptive Security Appliance (ASA) vulnerability analysis and mitigation

A vulnerability (CVE-2025-20252) has been identified in the Internet Key Exchange Version 2 (IKEv2) module of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software. The vulnerability was disclosed on August 14, 2025, and affects multiple versions of Cisco ASA and FTD Software that have the IKEv2 VPN feature enabled (Cisco Advisory).

The vulnerability stems from improper parsing of IKEv2 packets in the affected systems. It has been assigned a CVSS v3.1 Base Score of 5.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L. The vulnerability is classified under CWE-401 (Missing Release of Memory after Effective Lifetime) (NVD).

A successful exploitation of this vulnerability can result in a denial of service (DoS) condition through partial exhaustion of system memory. This can cause system instability, particularly affecting the ability to establish new IKEv2 VPN sessions. Recovery from this condition requires a manual reboot of the affected device (Cisco Advisory).

Cisco has released software updates that address this vulnerability. No workarounds are available for this vulnerability. Organizations using affected versions of Cisco ASA and FTD Software should upgrade to the fixed versions as specified in the Cisco Security Advisory (Cisco Advisory).