How ZeroPath Works
Back to Blog

Cisco ASA and FTD RADIUS Proxy IPv6 DoS (CVE-2025-20222): Brief Summary and Technical Review

This post provides a brief summary and technical review of CVE-2025-20222, a high-severity denial of service vulnerability in the RADIUS proxy feature for IPsec VPN in Cisco ASA and FTD software. The flaw is due to improper IPv6 packet processing and affects specific configurations. No patch or detection methods are currently available.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-08-14

Cisco ASA and FTD RADIUS Proxy IPv6 DoS (CVE-2025-20222): Brief Summary and Technical Review
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A single crafted IPv6 packet can force a critical Cisco firewall offline, disrupting VPN connectivity for thousands of users. This is the real-world impact of CVE-2025-20222, a high-severity denial of service flaw in Cisco's Secure Firewall ASA and FTD appliances. These devices are foundational to enterprise and government network security, protecting remote access and site-to-site VPNs globally.

Technical Information

CVE-2025-20222 is a buffer overflow vulnerability (CWE-120) in the RADIUS proxy feature for IPsec VPN within Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software. The vulnerability is triggered by improper processing of IPv6 packets. An unauthenticated remote attacker can send specially crafted IPv6 packets over an IPsec VPN connection to the affected device. When these packets are processed by the RADIUS proxy logic, insufficient bounds checking allows memory corruption, resulting in a device reload and denial of service.

No public code snippets or detailed protocol traces have been disclosed. The vulnerability specifically affects the IPv6 packet handling routines in the RADIUS proxy code path when used in conjunction with IPsec VPN. The flaw does not require authentication, making it accessible to any attacker capable of sending traffic through an established IPsec tunnel.

Affected Systems and Versions

  • Cisco Secure Firewall Adaptive Security Appliance (ASA) Software: versions with RADIUS proxy enabled for IPsec VPN and IPv6 processing
  • Cisco Secure Firewall Threat Defense (FTD) Software: versions with RADIUS proxy enabled for IPsec VPN and IPv6 processing

Only devices configured to use the RADIUS proxy feature for IPsec VPN with IPv6 traffic are vulnerable. Exact version numbers are not specified in the advisory, but the vulnerability is present in currently supported releases as of August 2025. See the Cisco advisory for updates.

Vendor Security History

Cisco ASA and FTD platforms have experienced multiple high-severity vulnerabilities in recent years, including:

  • CVE-2024-20481: Remote Access VPN DoS, actively exploited
  • CVE-2024-20353: Web services DoS, CVSS 8.6
  • Multiple buffer overflow and protocol parsing issues (CWE-120)

Cisco typically issues advisories and patches rapidly, but the frequency of critical flaws in these products is a recurring concern for enterprise defenders.

References

Detect & fix
what others miss

Get startedBook a demo