Introduction
Unexpected device reloads and network outages have real consequences for organizations relying on Cisco Secure Firewall Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. CVE-2025-20136 is a high-severity vulnerability that can be exploited remotely and without authentication, resulting in denial of service for critical network infrastructure.
Cisco ASA and FTD are widely deployed security platforms in enterprise and service provider environments. These products provide firewall, VPN, and advanced threat protection capabilities, serving as a backbone for secure network operations across industries.
Technical Information
CVE-2025-20136 is a vulnerability in the function that performs IPv4 and IPv6 Network Address Translation (NAT) DNS inspection in Cisco Secure Firewall ASA and FTD software. The flaw is triggered when DNS inspection is enabled and the device is configured for NAT44, NAT64, or NAT46. An unauthenticated remote attacker can send specially crafted DNS packets that match a static NAT rule with DNS inspection enabled. When processed, these packets cause the device to enter an infinite loop, leading to a forced reload and a denial of service condition.
The root cause is a loop with an unreachable exit condition (CWE-835) in the DNS inspection logic. DNS inspection is enabled by default on many ASA and FTD deployments. The attack does not require authentication or elevated privileges, increasing its risk profile. The vulnerability is similar to previous issues in Cisco's DNS inspection code, such as CVE-2022-20760, which also allowed denial of service via crafted DNS requests.
No public code snippets or vulnerable code lines have been released for this vulnerability. The attack vector is straightforward: send crafted DNS packets through a NAT rule with DNS inspection enabled, exploiting the infinite loop in the inspection engine.
Affected Systems and Versions
- Cisco Secure Firewall Adaptive Security Appliance (ASA) Software
- Cisco Secure Firewall Threat Defense (FTD) Software
- Devices configured for NAT44, NAT64, or NAT46 with DNS inspection enabled
Specific affected version numbers are not provided in the public sources as of the report date. The vulnerability is present when static NAT rules with DNS inspection are active.
Vendor Security History
Cisco has a history of similar vulnerabilities in its firewall platforms, particularly involving DNS inspection and NAT handling. Notable examples include:
- CVE-2024-20353: Web server denial of service in ASA and FTD (actively exploited)
- CVE-2022-20760: DNS inspection handler denial of service
- CVE-2024-20359: Persistent local code execution in ASA and FTD (actively exploited)
Cisco typically issues timely advisories and patches for critical vulnerabilities, but the recurrence of issues in protocol inspection engines highlights ongoing complexity and risk in these components.