CVE-2025-20134

A vulnerability in the certificate processing of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to improper parsing of SSL/TLS certificates. An attacker could exploit this vulnerability by sending crafted DNS packets that match a static Network Address Translation (NAT) rule with DNS inspection enabled through an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

CVSS v3 8.6 HIGH

8.6^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ssltls-dos-eHw76vZe

Configurations

No configuration.

History

No history.

Information

Published : 2025-08-14 17:15

Updated : 2025-08-19 22:15

NVD link : CVE-2025-20134

Mitre link : CVE-2025-20134

CVE.ORG link : CVE-2025-20134

JSON object : View

Products Affected

No product.

CWE

CWE-415

Double Free

{"id": "CVE-2025-20134", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 3.9}]}, "published": "2025-08-14T17:15:34.637", "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ssltls-dos-eHw76vZe", "source": "[email protected]"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-415"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the certificate processing of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition.\r\n\r\nThis vulnerability is due to improper parsing of SSL/TLS certificates. An attacker could exploit this vulnerability by sending crafted DNS packets that match a static Network Address Translation (NAT) rule with DNS inspection enabled through an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition."}, {"lang": "es", "value": "Una vulnerabilidad en el procesamiento de certificados del software Cisco Secure Firewall Adaptive Security Appliance (ASA) y del software Cisco Secure Firewall Threat Defense (FTD) podr\u00eda permitir que un atacante remoto no autenticado reinicie el dispositivo inesperadamente, lo que resulta en una denegaci\u00f3n de servicio (DoS). Esta vulnerabilidad se debe a un an\u00e1lisis incorrecto de certificados SSL/TLS. Un atacante podr\u00eda explotar esta vulnerabilidad enviando un certificado SSL/TLS manipulado a un sistema afectado a trav\u00e9s de un socket SSL/TLS en espera. Una explotaci\u00f3n exitosa podr\u00eda permitir que el atacante reinicie el dispositivo, lo que resulta en una denegaci\u00f3n de servicio (DoS)."}], "lastModified": "2025-08-19T22:15:27.180", "sourceIdentifier": "[email protected]"}