Cisco Secure Firewall ASA and FTD Software IKEv2 Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Internet Key Exchange Version 2 (IKEv2) module of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software. This vulnerability allows an unauthenticated, remote attacker to trigger a memory leak, leading to system instability. The issue arises from improper parsing of IKEv2 packets, which can be exploited by sending a continuous stream of crafted packets to the affected device. As a result, the device may become unable to establish new IKEv2 VPN sessions, requiring a manual reboot to recover.

Impact

Exploitation of this vulnerability causes a memory leak that disrupts system stability, particularly by interfering with IKEv2 VPN session management. On affected devices, new IKEv2 VPN sessions cannot be established, and the device must be manually rebooted to restore normal functionality.

Remediation

Cisco has released software updates to address this vulnerability. Instructions for upgrading Cisco Secure Firewall ASA and Secure FTD Software are available in the respective product upgrade guides. For Cisco IOS and IOS XE Software, the Cisco Software Checker tool can be used to determine exposure to this vulnerability and identify the first fixed release.