CVE-2025-20222 Overview
CVE-2025-20222 affects the RADIUS proxy feature within the IPsec VPN functionality of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software. An unauthenticated, remote attacker can trigger a denial of service (DoS) condition by sending crafted IPv6 packets over an IPsec VPN connection. A successful exploit reloads the affected device, interrupting network traffic and VPN sessions. The flaw is tracked under CWE-120 (Buffer Copy without Checking Size of Input). Cisco documented the issue in the Cisco Security Advisory.
Critical Impact
A remote, unauthenticated attacker can force affected Cisco ASA and FTD devices to reload, disrupting firewall and VPN services for all connected users.
Affected Products
- Cisco Secure Firewall Adaptive Security Appliance (ASA) Software with RADIUS proxy enabled for IPsec VPN
- Cisco Secure Firewall Threat Defense (FTD) Software with RADIUS proxy enabled for IPsec VPN
- Cisco Firepower 2100 Series and other platforms running affected ASA or FTD releases
Discovery Timeline
- 2025-08-14 - CVE-2025-20222 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-20222
Vulnerability Analysis
The vulnerability resides in how the RADIUS proxy component of the IPsec VPN feature processes IPv6 packets. The affected code path does not correctly validate input size before copying data, mapping to [CWE-120] buffer handling weaknesses. An attacker who can deliver IPv6 packets through an IPsec VPN tunnel to the device can trigger an unhandled condition that causes the firewall to reload.
Because exploitation occurs over the network without authentication or user interaction, the attack scope extends beyond the device itself. A reload terminates all in-flight sessions, including site-to-site and remote-access VPNs, management connections, and firewall-protected traffic. Repeated exploitation produces a sustained outage.
Root Cause
The root cause is improper processing of IPv6 packets within the RADIUS proxy logic used by IPsec VPN authentication flows. The component fails to enforce correct bounds when handling specific IPv6 packet structures, which leads to a fatal error and device reload. Devices without RADIUS proxy enabled for IPsec VPN are not exposed to this specific code path.
Attack Vector
Exploitation requires network-level access to send IPv6 packets across an IPsec VPN connection to an affected device. The attacker does not need valid credentials, MFA tokens, or any prior session state. The Cisco advisory describes the trigger as IPv6 traffic delivered through the VPN tunnel, which causes the device to reload. No public proof-of-concept code or exploit tooling has been reported, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Refer to the Cisco Security Advisory for the authoritative technical description and fixed software releases.
Detection Methods for CVE-2025-20222
Indicators of Compromise
- Unscheduled reloads of Cisco ASA or FTD devices with crash files referencing the IPsec or RADIUS proxy subsystems
- Repeated VPN session drops or tunnel renegotiations correlated with inbound IPv6 traffic
- Syslog entries indicating abnormal terminations of the ikev1, ikev2, or RADIUS proxy processes near the time of an outage
Detection Strategies
- Review device crash dumps and show crashinfo output for stack traces pointing at IPv6 packet handling within the RADIUS proxy code path
- Correlate firewall reload events with upstream NetFlow or packet capture data showing IPv6 traffic to VPN headend addresses
- Alert on repeated short-interval reboots of ASA and FTD appliances through your SIEM or telemetry platform
Monitoring Recommendations
- Centralize ASA and FTD syslog and SNMP trap data to detect reload events within seconds of occurrence
- Track availability of VPN headends with synthetic probes so DoS-induced outages are surfaced quickly
- Capture packet samples on VPN interfaces to support post-incident analysis of suspicious IPv6 flows
How to Mitigate CVE-2025-20222
Immediate Actions Required
- Identify ASA and FTD devices that have the RADIUS proxy feature enabled for IPsec VPN and inventory their software versions
- Apply the fixed software releases listed in the Cisco Security Advisory during the next maintenance window
- Restrict IPv6 reachability to VPN headends from untrusted networks where operationally feasible
Patch Information
Cisco has released fixed software for Cisco Secure Firewall ASA and FTD. Administrators should consult the vendor advisory at cisco-sa-fp2k-IPsec-dos-tjwgdZCO for the version matrix and upgrade guidance. No official workarounds are documented by Cisco; upgrading to a fixed release is the supported remediation.
Workarounds
- Disable the RADIUS proxy feature for IPsec VPN if it is not required, after validating impact on authentication flows
- Limit IPv6 connectivity to VPN endpoints through upstream ACLs or service provider filtering when patching is delayed
- Maintain redundant VPN headends to reduce service impact if a single device is targeted with this DoS
# Identify affected configuration on Cisco ASA / FTD
show running-config | include radius|aaa-server
show version | include Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
