CVE-2025-20192Improper Handling of Undefined Values in Cisco IOS XE Software

CWE-232Improper Handling of Undefined Values4 documents4 sources
Severity
7.7HIGHNVD
EPSS
0.6%
top 31.92%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Cisco IOS XE Software
Timeline
PublishedMay 7

Description

A vulnerability in the Internet Key Exchange version 1 (IKEv1) implementation of Cisco IOS XE Software could allow an authenticated, remote attacker to cause a denial of service (DoS) condition. The attacker must have valid IKEv1 VPN credentials to exploit this vulnerability. This vulnerability is due to improper validation of IKEv1 phase 2 parameters before the IPsec security association creation request is handed off to the hardware cryptographic accelerator of an affected device. An attacker

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:HExploitability: 3.1 | Impact: 4.0

Affected Packages1 packages

CVEListV5cisco/cisco_ios_xe_software189 versions+188

🔴Vulnerability Details

2
GHSA
GHSA-ffcc-cqg6-6f7v: A vulnerability in the Internet Key Exchange version 1 (IKEv1) implementation of Cisco IOS XE Software could allow an authenticated, remote attacker t2025-05-07
CVEList
CVE-2025-20192: A vulnerability in the Internet Key Exchange version 1 (IKEv1) implementation of Cisco IOS XE Software could allow an authenticated, remote attacker t2025-05-07

📋Vendor Advisories

1
Cisco
Cisco IOS XE Software Internet Key Exchange Version 1 Denial of Service Vulnerability2025-05-07
CVE-2025-20192 — Improper Handling of Undefined Values | cvebase