CVE-2025-20136

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-20136
A vulnerability in the function that performs IPv4 and IPv6 Network Address Translation (NAT) DNS inspection for Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition.  This vulnerability is due to an infinite loop condition that occurs when a Cisco Secure ASA or Cisco Secure FTD device processes DNS packets with DNS inspection enabled and the device is configured for NAT44, NAT64, or NAT46. An attacker could exploit this vulnerability by sending crafted DNS packets that match a static NAT rule with DNS inspection enabled through an affected device. A successful exploit could allow the attacker to create an infinite loop and cause the device to reload, resulting in a DoS condition.

8.6 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope CHANGED

References
Link Resource
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-nat-dns-dos-bqhynHTM
Configurations

No configuration.

History

15 Apr 2026, 00:35

Type Values Removed Values Added
Summary
  • (es) Una vulnerabilidad en la función que realiza la inspección de DNS de la Traducción de Direcciones de Red (NAT) IPv4 e IPv6 para el software Cisco Secure Firewall Adaptive Security Appliance (ASA) y el software Cisco Secure Firewall Threat Defense (FTD) podría permitir que un atacante remoto no autenticado reinicie el dispositivo inesperadamente, lo que resulta en una denegación de servicio (DoS). Esta vulnerabilidad se debe a un bucle infinito que se produce cuando un dispositivo Cisco Secure ASA o Cisco Secure FTD procesa paquetes DNS con la inspección de DNS habilitada y está configurado para NAT44, NAT64 o NAT46. Un atacante podría explotar esta vulnerabilidad enviando paquetes DNS manipulados que coincidan con una regla NAT estática con la inspección de DNS habilitada a través de un dispositivo afectado. Una explotación exitosa podría permitir al atacante crear un bucle infinito y provocar la recarga del dispositivo, lo que resulta en una denegación de servicio (DoS).

14 Aug 2025, 17:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-08-14 17:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-20136

Mitre link : CVE-2025-20136

CVE.ORG link : CVE-2025-20136

JSON object : View

Products Affected

No product.

CWE
CWE-835

Loop with Unreachable Exit Condition ('Infinite Loop')