Cyber Resilience

CVE-2025-20239

High

Published: 14 August 2025

Published
14 August 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS Score 0.0040 61.0th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-20239 is a high-severity Missing Release of Memory after Effective Lifetime (CWE-401) vulnerability in Cisco IOS Software (inferred from references). Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 39.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-20239 is a vulnerability in the Internet Key Exchange Version 2 (IKEv2) feature of Cisco IOS Software, IOS XE Software, Secure Firewall Adaptive Security Appliance (ASA) Software, and Secure Firewall Threat Defense (FTD) Software. The issue stems from a lack of proper processing of IKEv2 packets, which could allow an unauthenticated, remote attacker to trigger a memory leak and cause a denial-of-service (DoS) condition. It has a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) and is associated with CWE-401 (Memory Leak).

An unauthenticated, remote attacker can exploit this vulnerability by sending crafted IKEv2 packets to an affected device. On Cisco IOS and IOS XE Software, a successful exploit could cause the device to reload unexpectedly. On Cisco ASA and FTD Software, it could partially exhaust system memory, leading to system instability such as the inability to establish new IKEv2 VPN sessions, with recovery requiring a manual reboot.

The Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-ftd-ios-dos-DOESHWHy provides details on affected versions, workarounds, and available patches for mitigation.

EU & UK References

Vulnerability details

A vulnerability in the Internet Key Exchange Version 2 (IKEv2) feature of Cisco IOS Software, IOS XE Software, Secure Firewall Adaptive Security Appliance (ASA) Software, and Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to trigger…

more

a memory leak, resulting in a denial of service (DoS) condition. This vulnerability is due to a lack of proper processing of IKEv2 packets. An attacker could exploit this vulnerability by sending crafted IKEv2 packets to an affected device. In the case of Cisco IOS and IOS XE Software, a successful exploit could allow the attacker to cause the device to reload unexpectedly. In the case of Cisco ASA and FTD Software, a successful exploit could allow the attacker to partially exhaust system memory, causing system instability such as being unable to establish new IKEv2 VPN sessions. A manual reboot of the device is required to recover from this condition.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated exploitation of public-facing IKEv2 service on network devices directly enables crafted-packet DoS via memory exhaustion (T1190 for initial access/exploitation and T1499.004 for resulting system/application DoS).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-25988Shared CWE-401
CVE-2025-1634Shared CWE-401
CVE-2026-25969Shared CWE-401
CVE-2025-56353Shared CWE-401
CVE-2026-24828Shared CWE-401
CVE-2026-31711Shared CWE-401
CVE-2025-21091Shared CWE-401
CVE-2026-25796Shared CWE-401
CVE-2026-23095Shared CWE-401
CVE-2026-3104Shared CWE-401

Affected Assets

Cisco
IOS Software
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly mitigates this IKEv2 memory leak vulnerability by applying vendor-provided patches as specified in the Cisco advisory.

prevent

Denial-of-service protection enforces rate limiting or traffic filtering on IKEv2 packets to prevent memory exhaustion from crafted inputs.

prevent

Information input validation checks the syntax and semantics of incoming IKEv2 packets to block malformed ones that trigger the memory leak.

References