CVE-2025-20127

HIGH
Published Aug 14, 2025 Modified Aug 25, 2025 CWE-404

Description

A vulnerability in the TLS 1.3 implementation for a specific cipher for Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software for Cisco Firepower 3100 and 4200 Series devices could allow an authenticated, remote attacker to consume resources that are associated with incoming TLS 1.3 connections, which eventually could cause the device to stop accepting any new SSL/TLS or VPN requests. This vulnerability is due to the implementation of the TLS 1.3 Cipher TLS_CHACHA20_POLY1305_SHA256. An attacker could exploit this vulnerability by sending a large number of TLS 1.3 connections with the specific TLS 1.3 Cipher TLS_CHACHA20_POLY1305_SHA256. A successful exploit could allow the attacker to cause a denial of service (DoS) condition where no new incoming encrypted connections are accepted. The device must be reloaded to clear this condition. Note: These incoming TLS 1.3 connections include both data traffic and user-management traffic. After the device is in the vulnerable state, no new encrypted connections can be accepted.

CVSS v3.1 Score

7.7
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

Weakness Type (CWE)

CWE-404 CWE-404

Affected Products

Vendor Product
cisco firepower_threat_defense
cisco firepower_threat_defense
cisco firepower_threat_defense
cisco firepower_threat_defense
cisco firepower_threat_defense
cisco firepower_threat_defense
cisco secure_firewall_3105
cisco secure_firewall_3110
cisco secure_firewall_3120
cisco secure_firewall_3130
cisco secure_firewall_3140
cisco secure_firewall_4215
cisco secure_firewall_4225
cisco secure_firewall_4245
cisco adaptive_security_appliance_software
cisco adaptive_security_appliance_software
cisco adaptive_security_appliance_software
cisco adaptive_security_appliance_software
cisco adaptive_security_appliance_software
cisco adaptive_security_appliance_software
cisco adaptive_security_appliance_software
cisco adaptive_security_appliance_software
cisco adaptive_security_appliance_software
cisco adaptive_security_appliance_software
cisco secure_firewall_3105
cisco secure_firewall_3110
cisco secure_firewall_3120
cisco secure_firewall_3130
cisco secure_firewall_3140
cisco secure_firewall_4215
cisco secure_firewall_4225
cisco secure_firewall_4245

References

Frequently Asked Questions

What is CVE-2025-20127? +
A vulnerability in the TLS 1.3 implementation for a specific cipher for Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software for Cisco Firepower 3100 and 4200 Series devices could allow an authenticated, remote attacker to consume resources that are associated with incoming TLS 1.3 connections, which eventually could cause the device to stop accepting any new SSL/TLS or VPN requests. This vulnerability is due to the implementation of the TLS 1.3 Cipher TLS_CHACHA20_POLY1305_SHA256. An attacker could exploit this vulnerability by sending a large number of TLS 1.3 connections with the specific TLS 1.3 Cipher TLS_CHACHA20_POLY1305_SHA256. A successful exploit could allow the attacker to cause a denial of service (DoS) condition where no new incoming encrypted connections are accepted. The device must be reloaded to clear this condition. Note: These incoming TLS 1.3 connections include both data traffic and user-management traffic. After the device is in the vulnerable state, no new encrypted connections can be accepted. It has a CVSS v3.1 base score of 7.7 (HIGH).
How severe is CVE-2025-20127? +
CVE-2025-20127 has a CVSS v3.1 score of 7.7 out of 10, rated HIGH. This is a high-severity vulnerability that should be prioritized for patching.
What products are affected by CVE-2025-20127? +
CVE-2025-20127 affects products from cisco, specifically: adaptive_security_appliance_software, firepower_threat_defense, secure_firewall_3105, secure_firewall_3110, secure_firewall_3120, secure_firewall_3130, secure_firewall_3140, secure_firewall_4215, secure_firewall_4225, secure_firewall_4245. Check the affected products table above for specific version ranges.
How do I check if I'm vulnerable to CVE-2025-20127? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-6202

Vulnerability in SK Hynix DDR5 on x86 allows a local attacker to trigger Rowhammer bit flips impacting the Hardware Integrity …
CVE-2024-31611 9.1

SeaCMS 12.9 has a file deletion vulnerability via admin_template.php.
CVE-2025-5867 8.0

A vulnerability classified as critical was found in RT-Thread 5.1.0. This vulnerability affects the function csys_sendto of the file rt-thread/components/lwp/lwp_syscall.c. …
CVE-2025-38385 7.8

In the Linux kernel, the following vulnerability has been resolved: net: usb: lan78xx: fix WARN in __netif_napi_del_locked on disconnect Remove …
CVE-2024-55553 7.5

In FRRouting (FRR) before 10.3 from 6.0 onward, all routes are re-validated if the total size of an update received …
CVE-2026-7263 7.5

In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a …

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2025-20127 — free, no signup required.

Start Free Scan