CVE-2025-20127

HIGH EPSS 43.2%
Published Aug 14, 202510mo ago · Modified Jun 17, 20262w ago
7.7 CVSS 3.1
High
Find Similar
Published Aug 14, 2025 10mo ago
Last Modified Jun 17, 2026 2w ago

Description

A vulnerability in the TLS 1.3 implementation for a specific cipher for Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software for Cisco Firepower 3100 and 4200 Series devices could allow an authenticated, remote attacker to consume resources that are associated with incoming TLS 1.3 connections, which eventually could cause the device to stop accepting any new SSL/TLS or VPN requests. This vulnerability is due to the implementation of the TLS 1.3 Cipher TLS_CHACHA20_POLY1305_SHA256. An attacker could exploit this vulnerability by sending a large number of TLS 1.3 connections with the specific TLS 1.3 Cipher TLS_CHACHA20_POLY1305_SHA256. A successful exploit could allow the attacker to cause a denial of service (DoS) condition where no new incoming encrypted connections are accepted. The device must be reloaded to clear this condition. Note: These incoming TLS 1.3 connections include both data traffic and user-management traffic. After the device is in the vulnerable state, no new encrypted connections can be accepted.

CVSS Details

Base Score
7.7
Exploitability
3.1
Impact
4.0
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Changed
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
43.2% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-404

Affected Products 32

VendorProductVersionRange
ciscofirepower_threat_defense7.4.0any
ciscofirepower_threat_defense7.4.1any
ciscofirepower_threat_defense7.4.1.1any
ciscofirepower_threat_defense7.4.2any
ciscofirepower_threat_defense7.4.2.1any
ciscofirepower_threat_defense7.6.0any
ciscosecure_firewall_3105*any
ciscosecure_firewall_3110*any
ciscosecure_firewall_3120*any
ciscosecure_firewall_3130*any
ciscosecure_firewall_3140*any
ciscosecure_firewall_4215*any
ciscosecure_firewall_4225*any
ciscosecure_firewall_4245*any
ciscoadaptive_security_appliance_software9.20.1any
ciscoadaptive_security_appliance_software9.20.1.5any
ciscoadaptive_security_appliance_software9.20.2any
ciscoadaptive_security_appliance_software9.20.2.10any
ciscoadaptive_security_appliance_software9.20.2.21any
ciscoadaptive_security_appliance_software9.20.2.22any
ciscoadaptive_security_appliance_software9.20.3any
ciscoadaptive_security_appliance_software9.20.3.4any
ciscoadaptive_security_appliance_software9.20.3.7any
ciscoadaptive_security_appliance_software9.22.1.1any
ciscosecure_firewall_3105*any
ciscosecure_firewall_3110*any
ciscosecure_firewall_3120*any
ciscosecure_firewall_3130*any
ciscosecure_firewall_3140*any
ciscosecure_firewall_4215*any
ciscosecure_firewall_4225*any
ciscosecure_firewall_4245*any

References 1

  • sec.cloudapps.cisco.com https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-3100_4200_tlsdos-2yNSCd54
    Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.