A high-severity vulnerability has been identified in multiple Cisco networking products that could allow a remote, unauthenticated attacker to cause a denial of service (DoS). Successful exploitation of this flaw could lead to a memory leak, ultimately causing the affected device to crash and disrupt critical network operations.

This vulnerability exists in the software's handling of Internet Key Exchange Version 2 (IKEv2) packets. A remote, unauthenticated attacker can exploit this flaw by sending a specifically crafted sequence of IKEv2 packets to an affected device. The improper processing of these packets causes a gradual memory leak, where system memory is allocated but not properly freed. Over time, repeated exploitation will exhaust all available memory, leading to system instability and an eventual device reload, resulting in a complete denial of service condition.

This vulnerability is rated as High severity with a CVSS score of 8.6. The primary business impact is the potential for significant network downtime. Successful exploitation could disrupt all services transiting through the affected device, including remote access VPNs for employees, site-to-site VPN connections, and general internet connectivity. This can lead to a loss of productivity, interruption of critical business processes, financial losses, and potential reputational damage if the outage affects external customers or partners. The risk is heightened because the attacker does not require any authentication to launch an attack.

Immediate Action: Organizations should identify all vulnerable devices within their environment and apply the security updates provided by Cisco immediately, prioritizing internet-facing systems. After patching, system administrators should continue to monitor affected devices and review access logs for any signs of attempted exploitation.

Proactive Monitoring: Monitor system logs for messages related to memory allocation failures or unexpected process restarts. Use network monitoring tools to track device memory utilization; a steady, unexplained increase in memory consumption could indicate an attack. Scrutinize IKEv2 traffic for anomalies, such as a high volume of connection initiation attempts from unknown or suspicious IP addresses.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce the attack surface:

• Apply Access Control Lists (ACLs) to the crypto map to permit IKEv2 traffic only from trusted and known peer IP addresses.
• If the IKEv2 feature is not in use, disable it entirely on the device to eliminate this attack vector.

Public Exploit Available: false

Due to the high CVSS score and the potential for significant operational disruption, we strongly recommend that organizations prioritize the patching of CVE-2025-20239. All internet-facing devices running the affected software with the IKEv2 feature enabled should be considered at critical risk and patched immediately. While this vulnerability is not currently listed on the CISA KEV catalog, its severity warrants an urgent response. If patching must be delayed, the compensating controls outlined above should be implemented as an interim risk mitigation measure.