Cyber Resilience

CVE-2025-20134

High

Published: 14 August 2025

Published
14 August 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS Score 0.0028 51.7th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-20134 is a high-severity Double Free (CWE-415) vulnerability in Cisco Secure Firewall (inferred from references). Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-20134 is a vulnerability in the certificate processing of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software. The issue arises from improper parsing of SSL/TLS certificates, which could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition. Published on 2025-08-14, it carries a CVSS score of 8.6 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) and maps to CWE-415.

An unauthenticated, remote attacker can exploit this vulnerability by sending crafted DNS packets that match a static Network Address Translation (NAT) rule with DNS inspection enabled through an affected device. A successful exploit causes the device to reload, leading to a DoS condition with no impact on confidentiality or integrity.

The Cisco Security Advisory provides details on mitigation and patches at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ssltls-dos-eHw76vZe.

EU & UK References

Vulnerability details

A vulnerability in the certificate processing of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial…

more

of service (DoS) condition. This vulnerability is due to improper parsing of SSL/TLS certificates. An attacker could exploit this vulnerability by sending crafted DNS packets that match a static Network Address Translation (NAT) rule with DNS inspection enabled through an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1498 Network Denial of Service Impact
Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users.
Why these techniques?

Remote unauthenticated exploitation of public-facing firewall via crafted packets directly maps to T1190; resulting device reload achieves network DoS impact per T1498.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23918Shared CWE-415
CVE-2025-32988Shared CWE-415
CVE-2026-21918Shared CWE-415
CVE-2026-31608Shared CWE-415
CVE-2026-4358Shared CWE-415
CVE-2026-31609Shared CWE-415
CVE-2024-56766Shared CWE-415
CVE-2026-31475Shared CWE-415
CVE-2026-20832Shared CWE-415
CVE-2024-35365Shared CWE-415

Affected Assets

Cisco
Secure Firewall
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Applying vendor patches directly remediates the improper SSL/TLS certificate parsing flaw exploited by crafted DNS packets.

prevent

Implements denial-of-service protections to limit effects of attacks causing device reloads via malformed inputs.

prevent

Enforces validation of DNS packets and SSL/TLS certificates to prevent crashes from improper parsing.

References