CVE-2024-20495 Overview
CVE-2024-20495 is a denial of service (DoS) vulnerability in the Remote Access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. An unauthenticated, remote attacker can cause an affected device to reload unexpectedly by sending a crafted key value over an established TLS session. The flaw stems from improper validation of client key data after the TLS session is established, classified under [CWE-20] Improper Input Validation. Cisco published the advisory on October 23, 2024.
Critical Impact
Successful exploitation forces the firewall to reload, disrupting VPN connectivity and all traffic traversing the affected ASA or FTD device.
Affected Products
- Cisco Adaptive Security Appliance (ASA) Software — multiple 9.8, 9.12, 9.14, 9.15, 9.16, and 9.17 release trains
- Cisco Firepower Threat Defense (FTD) Software — 6.2.3, 6.4, 6.6, 6.7, 7.0, and 7.1 release trains
- Devices with the Remote Access VPN feature enabled
Discovery Timeline
- 2024-10-23 - CVE-2024-20495 published to NVD
- 2025-08-15 - Last updated in NVD database
Technical Details for CVE-2024-20495
Vulnerability Analysis
The vulnerability resides in the Remote Access VPN component of Cisco ASA and FTD Software. Cisco ASA delivers SSL/TLS-based VPN termination for enterprise remote users, and FTD inherits the same VPN code path. After a client completes the TLS handshake with the VPN endpoint, the device processes additional key material supplied by the client. The affected code does not properly validate this client key data before further processing.
When the device parses a malformed key value, an unrecoverable error state is reached and the system reloads. Because exploitation occurs over an authenticated TLS channel from the attacker's perspective, the attacker does not require valid VPN credentials. Repeated exploitation can produce a sustained outage of the VPN headend and any traffic that traverses the firewall.
Root Cause
The root cause is improper input validation [CWE-20] of client-supplied key data following TLS session establishment. The Remote Access VPN process accepts the field without enforcing length, structure, or value constraints sufficient to prevent the abnormal termination of the process.
Attack Vector
Exploitation is network-based and requires no authentication or user interaction. An attacker establishes a TLS session with the VPN service exposed by an affected ASA or FTD device and then transmits a crafted key value. The malformed value triggers the device to reload, producing the DoS condition. Because Remote Access VPN endpoints are commonly exposed to the public internet, the attack surface is broad.
No public proof-of-concept exploit code is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. See the Cisco Security Advisory cisco-sa-asa-vpn-cZf8gT for vendor technical details.
Detection Methods for CVE-2024-20495
Indicators of Compromise
- Unexpected ASA or FTD device reloads with crash dumps referencing the Remote Access VPN or SSL VPN process
- show crashinfo output indicating a traceback in the WebVPN or AnyConnect/Secure Client session handling code
- Loss of all VPN tunnels followed by device reinitialization without an administrator-issued reload command
Detection Strategies
- Monitor syslog messages for %ASA-1-199010 and similar reload or watchdog events correlated with active TLS VPN sessions
- Inspect TLS traffic to the VPN endpoint for anomalous post-handshake payloads originating from untrusted source addresses
- Alert on repeated short-lived TLS sessions from the same source IP to the VPN listener followed by device unavailability
Monitoring Recommendations
- Forward ASA and FTD syslog and SNMP traps to a centralized SIEM and create dedicated rules for unexpected reload events
- Track VPN headend availability with synthetic probes to detect outages within seconds
- Baseline normal Remote Access VPN connection patterns and alert on anomalous source IPs initiating TLS sessions without completing client authentication
How to Mitigate CVE-2024-20495
Immediate Actions Required
- Identify all ASA and FTD devices with Remote Access VPN enabled by reviewing show running-config webvpn and group-policy configurations
- Apply the fixed software releases identified in the Cisco advisory as soon as a maintenance window permits
- Restrict access to the VPN listener to known client networks where business requirements allow, reducing exposure to untrusted sources
Patch Information
Cisco has released fixed software for affected ASA and FTD release trains. Consult the Cisco Security Advisory cisco-sa-asa-vpn-cZf8gT and the Cisco Software Checker to determine the first fixed release for your specific platform and current version. No workarounds that address the vulnerability are provided by Cisco; upgrading is the supported remediation.
Workarounds
- No vendor-supplied workarounds eliminate the vulnerability; only the fixed software releases resolve it
- Where patching is delayed, limit the source IP ranges permitted to reach the Remote Access VPN listener via upstream ACLs or control-plane policy
- Enable high-availability failover pairs so that an unexpected reload of one unit does not produce a complete service outage
# Example: verify running version and identify VPN exposure
show version | include Software
show running-config webvpn
show running-config | include enable.*outside
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
