CVE-2025-20271Use of Uninitialized Variable in Cisco Meraki MX Firmware

CWE-457Use of Uninitialized Variable4 documents4 sources
Severity
8.6HIGHNVD
EPSS
0.2%
top 61.53%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Cisco Meraki MX Firmware
Timeline
PublishedJun 18

Description

A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition in the Cisco AnyConnect service on an affected device. This vulnerability is due to variable initialization errors when an SSL VPN session is established. An attacker could exploit this vulnerability by sending a sequence of crafted HTTPS requests to an affected device. A successful

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:HExploitability: 3.9 | Impact: 4.0

Affected Packages1 packages

🔴Vulnerability Details

2
CVEList
Cisco Meraki MX and Z Series AnyConnect VPN with Client Certificate Authentication Denial of Service Vulnerability2025-06-18
GHSA
GHSA-m673-qg9w-p8mh: A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices could allow an unauthentica2025-06-18

📋Vendor Advisories

1
Cisco
Cisco Meraki MX and Z Series AnyConnect VPN with Client Certificate Authentication Denial of Service Vulnerability2025-06-18
CVE-2025-20271 — Use of Uninitialized Variable in Cisco | cvebase