CVE-2024-20426 Overview
CVE-2024-20426 is a denial-of-service vulnerability affecting the Internet Key Exchange version 2 (IKEv2) protocol implementation used for VPN termination in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. The flaw results from insufficient input validation of IKEv2 traffic. An unauthenticated, remote attacker can send crafted IKEv2 packets to a vulnerable device, causing it to reload and enter a denial-of-service state. The vulnerability is tracked under [CWE-476] (NULL Pointer Dereference) and impacts availability of VPN termination infrastructure.
Critical Impact
Unauthenticated remote attackers can force affected Cisco ASA or FTD devices to reload, disrupting VPN connectivity and network security enforcement for the duration of the outage.
Affected Products
- Cisco Adaptive Security Appliance (ASA) Software versions 9.18.x, 9.19.x, and 9.20.x (up to 9.20.2.21)
- Cisco Firepower Threat Defense (FTD) Software versions 7.2.x, 7.3.x, and 7.4.x (up to 7.4.1.1)
- Devices configured with IKEv2 for remote-access or site-to-site VPN termination
Discovery Timeline
- 2024-10-23 - CVE-2024-20426 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2024-20426
Vulnerability Analysis
The vulnerability resides in the IKEv2 protocol handler used by Cisco ASA and FTD software for VPN session termination. IKEv2 is the negotiation protocol that establishes IPsec security associations between VPN peers. Because IKEv2 listens on UDP port 500 (and 4500 when NAT traversal is used), the attack surface is exposed to any host that can reach the VPN termination interface, which is typically the internet-facing edge of the firewall.
An attacker sends crafted IKEv2 messages that the parser fails to validate correctly. Under the flawed code path, the software dereferences a NULL pointer ([CWE-476]) during processing of the malformed input. The dereference triggers an unrecoverable exception, and the device reloads to recover a consistent state. Repeated exploitation prevents the device from maintaining a stable service state.
Root Cause
The root cause is insufficient input validation of specific fields within IKEv2 packets. When those fields are malformed or absent, the IKEv2 processing routine follows a code path that operates on an uninitialized or NULL pointer, resulting in a fatal exception in the ASA or FTD process.
Attack Vector
Exploitation requires only network access to the IKEv2 listener on the affected device. No authentication, user interaction, or existing VPN tunnel is required. An attacker sends a single crafted IKEv2 packet (or a sequence of packets) to UDP/500 or UDP/4500 on the VPN termination interface. A successful trigger causes the device to reload, dropping all sessions and disrupting VPN, firewall, and inspection services.
No verified public proof-of-concept or exploit code is available for this vulnerability at the time of writing. See the Cisco Security Advisory cisco-sa-asaftd-ikev2-dos-9FgEyHsF for authoritative technical details.
Detection Methods for CVE-2024-20426
Indicators of Compromise
- Unexpected device reloads or crash traceback entries in ASA/FTD show crashinfo output referencing the IKEv2 process
- Repeated syslog entries indicating IKEv2 process termination and system restart
- Loss of active VPN sessions coinciding with inbound UDP/500 or UDP/4500 traffic bursts from unfamiliar sources
Detection Strategies
- Monitor Cisco ASA/FTD syslog for reload messages such as %ASA-1-199010 and IKEv2 error events preceding a reboot
- Inspect NetFlow, IPFIX, or firewall logs for anomalous IKEv2 traffic patterns from external IPs to VPN headends
- Correlate device uptime resets across the fleet using centralized logging to identify possible active exploitation attempts
Monitoring Recommendations
- Alert on ASA/FTD device reboots that occur outside of scheduled maintenance windows
- Track connection counts on UDP/500 and UDP/4500 and flag sudden spikes from single or small groups of source IPs
- Ingest firewall and VPN telemetry into a centralized data lake or SIEM to enable long-term pattern analysis and cross-device correlation
How to Mitigate CVE-2024-20426
Immediate Actions Required
- Identify all Cisco ASA and FTD devices running affected versions using inventory tooling and Cisco's Software Checker
- Apply fixed software releases published by Cisco to all affected devices as soon as change windows allow
- Restrict IKEv2 exposure by permitting UDP/500 and UDP/4500 only from expected VPN peers where feasible
Patch Information
Cisco has released fixed software addressing CVE-2024-20426. Refer to the Cisco Security Advisory cisco-sa-asaftd-ikev2-dos-9FgEyHsF for the fixed release matrix mapped to each affected ASA and FTD train. Use the Cisco Software Checker to determine the appropriate upgrade target for the running configuration.
Workarounds
- No official workaround eliminates the vulnerability without patching; upgrading to a fixed release is required
- For remote-access VPN headends, apply control-plane ACLs to limit IKEv2 exposure to known client ranges where operationally acceptable
- Enable rate limiting or edge filtering on upstream infrastructure to reduce the volume of unsolicited IKEv2 traffic reaching the device
# Example: restrict IKEv2 (UDP/500 and UDP/4500) to trusted site-to-site peers
access-list VPN-CONTROL extended permit udp host <peer-ip> any eq isakmp
access-list VPN-CONTROL extended permit udp host <peer-ip> any eq 4500
access-list VPN-CONTROL extended deny udp any any eq isakmp
access-list VPN-CONTROL extended deny udp any any eq 4500
control-plane
access-group VPN-CONTROL in interface outside
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

