An authenticated remote attacker can trigger a denial of service (DoS) condition on Cisco ASA and FTD devices by exploiting a flaw in the processing of specific IPsec traffic.

The vulnerability exists in the way the software processes Galois/Counter Mode (GCM)-encrypted Internet Key Exchange version 2 (IKEv2) IPsec traffic. An authenticated, remote attacker can exploit this by sending crafted traffic, leading to a system crash and a denial of service (DoS) condition.

With a CVSS score of 7.7, this is a High-severity vulnerability. While it requires authentication, a successful exploit can take down critical VPN and firewall services, leading to significant operational disruption and loss of remote connectivity for the entire organization. This impact on availability can be costly during peak business hours.

Immediate Action: Apply the security updates provided by Cisco for ASA and FTD software to resolve the IKEv2 processing issue.

Proactive Monitoring: Monitor for frequent, unexplained reboots of the firewall and review IKEv2 negotiation logs for unusual patterns or errors originating from authenticated users.

Compensating Controls: Implement strict peer authentication for IPsec tunnels and limit the number of users with the permissions required to establish GCM-encrypted IKEv2 sessions.

Public Exploit Available: false

We recommend applying the vendor-supplied patches during the next scheduled maintenance window, or immediately if the firewall is critical for remote access. Ensuring that only trusted individuals have the credentials to establish IPsec sessions is a vital secondary defense.