A high-severity vulnerability exists in certain Cisco Secure Firewall products that could allow a remote, unauthenticated attacker to cause a complete denial of service. By sending specially crafted DNS traffic through an affected firewall, an attacker can trigger an unexpected device reload, leading to a network outage for all traffic passing through the device. This vulnerability presents a significant risk to network availability and business continuity.

The vulnerability resides within the DNS inspection engine used for Network Address Translation (NAT) on Cisco Secure Firewall ASA and FTD software. An unauthenticated, remote attacker can exploit this flaw by sending a specifically crafted sequence of DNS packets through a vulnerable device that is configured to perform DNS inspection for NAT. When the vulnerable function processes these malicious packets, a flaw is triggered that causes the device to crash and reload, resulting in a denial of service (DoS) condition.

This vulnerability is rated as High severity with a CVSS score of 8.6. A successful exploit would result in a complete denial of service, as the firewall device would unexpectedly reload. This would interrupt all network traffic, including internet access, VPN connections, and access to internal resources protected by the firewall. The potential consequences include significant business disruption, violation of service level agreements (SLAs), and reputational damage. Given that the attack can be launched remotely by an unauthenticated user, the risk to internet-facing firewalls is particularly high.

Immediate Action: Apply the security updates provided by Cisco to all affected devices immediately. Before and after patching, actively monitor firewall logs for unexpected reloads or crashes and review access logs for any anomalous DNS traffic patterns that could indicate an exploitation attempt.

Proactive Monitoring:

• Monitor system logs (syslog) for any entries indicating unexpected device reboots, crashes, or memory-related errors associated with the DNS inspection process.
• Utilize network monitoring tools to look for unusual spikes or malformed DNS traffic from untrusted external sources.
• Configure and monitor Intrusion Detection/Prevention System (IDS/IPS) alerts for signatures related to CVE-2025-20136 as they become available.

Compensating Controls: If immediate patching is not feasible, consider the following mitigations:

• Temporarily disable the DNS inspection feature on the affected firewall. Note that this may impact functionality that relies on DNS-based NAT translations.
• Implement an upstream access control list (ACL) on a router or other network device to block or rate-limit DNS traffic from untrusted sources before it reaches the vulnerable firewall.
• Deploy an IPS in front of the firewall with up-to-date signatures capable of detecting and blocking exploit attempts for this vulnerability.

Public Exploit Available: false

Given the high severity (CVSS 8.6) of this vulnerability and its potential to cause a complete network outage with no user authentication required, we strongly recommend that organizations prioritize applying the vendor-supplied patches to all affected Cisco Secure Firewall devices immediately. Although this vulnerability is not currently listed on the CISA KEV list, its critical impact on network infrastructure makes it a prime candidate for future inclusion. Proactive patching is the most effective strategy to prevent disruption to business operations.