CVE-2025-20254: 
Cisco Adaptive Security Appliance (ASA) vulnerability analysis and mitigation

A vulnerability (CVE-2025-20254) was discovered in the Internet Key Exchange Version 2 (IKEv2) module of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software. The vulnerability was disclosed on August 14, 2025, and affects the IKEv2 VPN feature when enabled on these systems (Cisco Advisory).

The vulnerability stems from improper parsing of IKEv2 packets in the affected systems. It has been assigned a CVSS Base Score of 5.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L. The vulnerability is tracked under CWE-401 (Missing Release of Memory after Effective Lifetime) (NVD, Cisco Advisory).

A successful exploitation of this vulnerability could allow an attacker to partially exhaust system memory, leading to system instability. The specific impact includes the inability to establish new IKEv2 VPN sessions, requiring a manual reboot of the device to recover from this condition (Cisco Advisory).

Cisco has released software updates that address this vulnerability. There are no workarounds available for this vulnerability. Customers with service contracts can obtain security fixes through their usual update channels (Cisco Advisory).

The vulnerability was discovered during internal security testing by Jason Crowder of the Cisco Advanced Security Initiatives Group (ASIG) (Cisco Advisory).