Cisco IOS, IOS XE, Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv2 Denial of Service Vulnerability

Plan Patch8.6cisco-sa-asa-ftd-ios-dos-kPEpQGGKMar 25, 2026

Cisco

IT in OT - Cisco networking products are commonly deployed in OT environments

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in IKEv2 parsing in Cisco IOS, IOS XE, Secure Firewall ASA, and Secure Firewall Threat Defense Software allows an unauthenticated remote attacker to trigger a memory leak by sending crafted IKEv2 packets. On IOS/IOS XE routers, this causes device reload and denial of service. On ASA/FTD firewalls, this causes memory exhaustion, system instability, and inability to establish new VPN sessions. Recovery requires manual reboot. Cisco has released software updates.

What this means

What could happen

An attacker can send specially crafted IKEv2 packets to cause your router, firewall, or VPN device to either crash and reboot or leak memory until it becomes unstable and can't establish new VPN connections, resulting in network downtime.

Who's at risk

This affects organizations using Cisco routers (IOS/IOS XE), ASA firewalls, or FTD threat defense appliances that have IKEv2 VPN enabled. Critical for any facility relying on Cisco VPN connections for remote access, site-to-site connectivity, or secure communications.

How it could be exploited

An attacker sends crafted IKEv2 packets to your device's IKEv2 port (typically UDP 500 or 4500) from the internet. The device misparses these packets, causing either an immediate crash (on IOS/IOS XE routers) or gradual memory exhaustion (on ASA/FTD firewalls) until the device becomes unusable.

Prerequisites

Network access to IKEv2 port (UDP 500 or 4500) on the affected device
IKEv2 feature enabled on the device

remotely exploitableno authentication requiredlow complexityhigh CVSS score (8.6)affects VPN/network availabilityno patch mentioned for some versions

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

Cisco IOS, IOS XE, Secure Firewall Adaptive Security Appliance, and Secure Firewall Threat Defense Software IKEv212.2(6)I1 through 3.9.2bEFix available

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to IKEv2 ports (UDP 500, 4500) at your firewall or router edge to allow only trusted VPN peers

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Cisco IOS Software to patched version

HOTFIXUpdate Cisco IOS XE Software to patched version

HOTFIXUpdate Cisco Secure Firewall ASA Software to patched version

HOTFIXUpdate Cisco Secure Firewall Threat Defense (FTD) Software to patched version

CVEs (1)

CVE-2026-20012

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f8a885b4-1bc6-4644-9d4d-c9a7af09e948

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.