CVE-2025-20252: 
Cisco Adaptive Security Appliance (ASA) vulnerability analysis and mitigation

A vulnerability in the Internet Key Exchange Version 2 (IKEv2) module of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to trigger a memory leak, resulting in a denial of service (DoS) condition. The vulnerability was discovered and disclosed on August 14, 2025, and is tracked as CVE-2025-20252 with a CVSS base score of 5.8 (Medium) (NVD, Cisco Advisory).

The vulnerability is caused by improper parsing of IKEv2 packets in the affected systems. The issue is classified as CWE-401 (Missing Release of Memory after Effective Lifetime). The vulnerability has a CVSS vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L, indicating that it can be exploited remotely with low attack complexity and requires no privileges or user interaction (Cisco Advisory).

A successful exploitation of this vulnerability could allow an attacker to partially exhaust system memory, causing system instability such as being unable to establish new IKEv2 VPN sessions. Recovery from this condition requires a manual reboot of the device (NVD, Cisco Advisory).

Cisco has released software updates that address this vulnerability. There are no workarounds available for this vulnerability. Customers with service contracts can obtain security fixes through their usual update channels (Cisco Advisory).