How ZeroPath Works
Back to Blog

Cisco ASA and FTD CVE-2025-20134: Brief Summary of SSL/TLS Certificate Double Free DoS Vulnerability

A brief summary of CVE-2025-20134, a high-severity SSL/TLS certificate parsing vulnerability in Cisco ASA and Firepower Threat Defense (FTD) software. This post covers affected versions, technical details, and official patch guidance.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-08-14

Cisco ASA and FTD CVE-2025-20134: Brief Summary of SSL/TLS Certificate Double Free DoS Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Unexpected reloads of critical perimeter firewalls can disrupt VPN access, remote work, and even core business operations. CVE-2025-20134 is a high-severity vulnerability in Cisco Secure Firewall Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software that allows unauthenticated remote attackers to cause denial of service via SSL/TLS certificate parsing flaws.

Cisco ASA and FTD are widely deployed security appliances in enterprise and service provider networks, providing firewall, VPN, and advanced threat defense capabilities. Their reliability and security are foundational to many organizations' network perimeters.

Technical Information

CVE-2025-20134 is caused by improper parsing of SSL/TLS certificates in Cisco ASA and FTD software. The vulnerability is categorized under CWE-415 (double free), which occurs when the same memory block is released more than once. In this case, the SSL/TLS certificate validation logic fails to correctly manage memory when handling certain malformed or crafted certificates.

An unauthenticated attacker can exploit this by sending a specially crafted SSL/TLS certificate to any listening SSL/TLS socket on a vulnerable device. This could be through services such as AnyConnect VPN, Clientless SSL VPN, or other SSL/TLS-enabled interfaces. Upon processing the malicious certificate, the device's memory management routines may attempt to free the same memory region twice, leading to memory corruption and an immediate device reload. This results in a denial of service, temporarily disrupting all network traffic through the affected firewall.

No authentication is required, and any exposed SSL/TLS service is a potential target. There are no public code snippets or proof of concept exploits available for this vulnerability. The issue is present only in specific versions of ASA and FTD software, as detailed below.

Patch Information

To address the SSL/TLS Denial of Service vulnerability in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software, Cisco has released software updates that rectify the improper processing of incoming SSL/TLS packets. This flaw previously allowed unauthenticated, remote attackers to cause affected devices to reload unexpectedly, leading to a denial of service (DoS) condition.

Fixed Software Releases:

For Cisco ASA Software:

  • 9.8: Fixed in 9.8.4.40
  • 9.12: Fixed in 9.12.4.26
  • 9.14: Fixed in 9.14.3.9
  • 9.15: Fixed in 9.15.1.17
  • 9.16: Not vulnerable

For Cisco FTD Software:

  • 6.2.3: Fixed in 6.2.3.17
  • 6.4.0: Fixed in 6.4.0.13 (Nov 2021)
  • 6.6.0: Fixed in 6.6.5
  • 6.7.0: Fixed in 6.7.0.3 (Jan 2022)
  • 7.0.0: Not vulnerable

Upgrade Recommendations:

  1. Verify Current Software Version:

    • Use the show version command to determine your device's current software version.

  2. Review Configuration:

    • Ensure that features like AnyConnect IKEv2 Remote Access, AnyConnect SSL VPN, or Clientless SSL VPN are configured, as these are pertinent to the vulnerability.

  3. Plan the Upgrade:

    • Schedule the upgrade during a maintenance window to minimize impact.
    • Backup current configurations before proceeding.

  4. Download and Install the Fixed Release:

  5. Post-Upgrade Verification:

    • After upgrading, verify the software version to confirm the update.
    • Monitor system logs to ensure normal operation.

By promptly applying these updates, administrators can mitigate the risk associated with this vulnerability and enhance the security posture of their network infrastructure.

For detailed information, refer to the official Cisco Security Advisory: Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software SSL/TLS Denial of Service Vulnerability.

Affected Systems and Versions

Cisco ASA Software:

  • 9.8 (prior to 9.8.4.40)
  • 9.12 (prior to 9.12.4.26)
  • 9.14 (prior to 9.14.3.9)
  • 9.15 (prior to 9.15.1.17)
  • 9.16: Not vulnerable

Cisco FTD Software:

  • 6.2.3 (prior to 6.2.3.17)
  • 6.4.0 (prior to 6.4.0.13)
  • 6.6.0 (prior to 6.6.5)
  • 6.7.0 (prior to 6.7.0.3)
  • 7.0.0: Not vulnerable

Vulnerable configurations:

  • Devices with AnyConnect IKEv2 Remote Access, AnyConnect SSL VPN, or Clientless SSL VPN features enabled and listening for SSL/TLS connections.

Vendor Security History

Cisco has a history of SSL/TLS-related vulnerabilities in ASA and FTD products, often involving memory management or cryptographic processing errors. Previous advisories have addressed similar issues, including improper input validation and memory handling in SSL/TLS packet processing. Cisco typically responds with timely advisories and detailed patch guidance, but the recurrence of such flaws highlights ongoing challenges in secure protocol implementation in complex network devices.

References

Detect & fix
what others miss

Get startedBook a demo