CVE-2025-20239
Published: 14 August 2025
Summary
CVE-2025-20239 is a high-severity Missing Release of Memory after Effective Lifetime (CWE-401) vulnerability in Cisco IOS Software (inferred from references). Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly mitigates this IKEv2 memory leak vulnerability by applying vendor-provided patches as specified in the Cisco advisory.
Denial-of-service protection enforces rate limiting or traffic filtering on IKEv2 packets to prevent memory exhaustion from crafted inputs.
Information input validation checks the syntax and semantics of incoming IKEv2 packets to block malformed ones that trigger the memory leak.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of public-facing IKEv2 service on network devices directly enables crafted-packet DoS via memory exhaustion (T1190 for initial access/exploitation and T1499.004 for resulting system/application DoS).
NVD Description
A vulnerability in the Internet Key Exchange Version 2 (IKEv2) feature of Cisco IOS Software, IOS XE Software, Secure Firewall Adaptive Security Appliance (ASA) Software, and Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to trigger…
more
a memory leak, resulting in a denial of service (DoS) condition. This vulnerability is due to a lack of proper processing of IKEv2 packets. An attacker could exploit this vulnerability by sending crafted IKEv2 packets to an affected device. In the case of Cisco IOS and IOS XE Software, a successful exploit could allow the attacker to cause the device to reload unexpectedly. In the case of Cisco ASA and FTD Software, a successful exploit could allow the attacker to partially exhaust system memory, causing system instability such as being unable to establish new IKEv2 VPN sessions. A manual reboot of the device is required to recover from this condition.
Deeper analysisAI
CVE-2025-20239 is a vulnerability in the Internet Key Exchange Version 2 (IKEv2) feature of Cisco IOS Software, IOS XE Software, Secure Firewall Adaptive Security Appliance (ASA) Software, and Secure Firewall Threat Defense (FTD) Software. The issue stems from a lack of proper processing of IKEv2 packets, which could allow an unauthenticated, remote attacker to trigger a memory leak and cause a denial-of-service (DoS) condition. It has a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) and is associated with CWE-401 (Memory Leak).
An unauthenticated, remote attacker can exploit this vulnerability by sending crafted IKEv2 packets to an affected device. On Cisco IOS and IOS XE Software, a successful exploit could cause the device to reload unexpectedly. On Cisco ASA and FTD Software, it could partially exhaust system memory, leading to system instability such as the inability to establish new IKEv2 VPN sessions, with recovery requiring a manual reboot.
The Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-ios-dos-DOESHWHy provides details on affected versions, workarounds, and available patches for mitigation.
Details
- CWE(s)