CVE-2025-20134
Published: 14 August 2025
Summary
CVE-2025-20134 is a high-severity Double Free (CWE-415) vulnerability in Cisco Secure Firewall (inferred from references). Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-20134 is a vulnerability in the certificate processing of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software. The issue arises from improper parsing of SSL/TLS certificates, which could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition. Published on 2025-08-14, it carries a CVSS score of 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) and maps to CWE-415.
An unauthenticated, remote attacker can exploit this vulnerability by sending crafted DNS packets that match a static Network Address Translation (NAT) rule with DNS inspection enabled through an affected device. A successful exploit causes the device to reload, leading to a DoS condition with no impact on confidentiality or integrity.
The Cisco Security Advisory provides details on mitigation and patches at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ssltls-dos-eHw76vZe.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-24856
Vulnerability details
A vulnerability in the certificate processing of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial…
more
of service (DoS) condition. This vulnerability is due to improper parsing of SSL/TLS certificates. An attacker could exploit this vulnerability by sending crafted DNS packets that match a static Network Address Translation (NAT) rule with DNS inspection enabled through an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of public-facing firewall via crafted packets directly maps to T1190; resulting device reload achieves network DoS impact per T1498.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Applying vendor patches directly remediates the improper SSL/TLS certificate parsing flaw exploited by crafted DNS packets.
Implements denial-of-service protections to limit effects of attacks causing device reloads via malformed inputs.
Enforces validation of DNS packets and SSL/TLS certificates to prevent crashes from improper parsing.