CVE-2025-20127

Name: CVE-2025-20127
Creator: NVD / NIST
Published: 2025-08-14T17:15:33.907+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.7/10EPSS 0.58%

Last modified Jun 17, 2026

CVE-2025-20127 is a high-severity vulnerability rated 7.7/10 on the CVSS scale. A vulnerability in the TLS 1.3 implementation for a specific cipher for Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software for Cisco Firepower 3100 and 4200 Series devices could allow an authenticated, remote attacker to consume resources that are associated with incoming TLS 1.3 connections, which eventually could cause the device to stop accepting any new SSL/TLS or VPN requests. This vulnerability is due to the implementation of the TLS 1.3 Cipher TLS_CHACHA20_POLY1305_SHA256. An attacker could exploit this vulnerability by sending a large number of TLS 1.3 connections with the specific TLS 1.3 Cipher TLS_CHACHA20_POLY1305_SHA256. EPSS estimates a 0.58% chance of exploitation in the next 30 days.

Description

A vulnerability in the TLS 1.3 implementation for a specific cipher for Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software for Cisco Firepower 3100 and 4200 Series devices could allow an authenticated, remote attacker to consume resources that are associated with incoming TLS 1.3 connections, which eventually could cause the device to stop accepting any new SSL/TLS or VPN requests. This vulnerability is due to the implementation of the TLS 1.3 Cipher TLS_CHACHA20_POLY1305_SHA256. An attacker could exploit this vulnerability by sending a large number of TLS 1.3 connections with the specific TLS 1.3 Cipher TLS_CHACHA20_POLY1305_SHA256. A successful exploit could allow the attacker to cause a denial of service (DoS) condition where no new incoming encrypted connections are accepted. The device must be reloaded to clear this condition. Note: These incoming TLS 1.3 connections include both data traffic and user-management traffic. After the device is in the vulnerable state, no new encrypted connections can be accepted.

Metrics

CVSS 3.1

7.7/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

EPSS Probability

0.58%

43.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-404

Affected Software

Vendor	Product	Versions
Cisco	Firepower Threat Defense	7.4.0
Cisco	Firepower Threat Defense	7.4.1
Cisco	Firepower Threat Defense	7.4.1.1
Cisco	Firepower Threat Defense	7.4.2
Cisco	Firepower Threat Defense	7.4.2.1
Cisco	Firepower Threat Defense	7.6.0
Cisco	Adaptive Security Appliance Software	9.20.1
Cisco	Adaptive Security Appliance Software	9.20.1.5
Cisco	Adaptive Security Appliance Software	9.20.2
Cisco	Adaptive Security Appliance Software	9.20.2.10
Cisco	Adaptive Security Appliance Software	9.20.2.21
Cisco	Adaptive Security Appliance Software	9.20.2.22
Cisco	Adaptive Security Appliance Software	9.20.3
Cisco	Adaptive Security Appliance Software	9.20.3.4
Cisco	Adaptive Security Appliance Software	9.20.3.7
Cisco	Adaptive Security Appliance Software	9.22.1.1

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-3100_4200_tlsdos-2yNSCd54Vendor Advisory

Timeline

Published: Aug 14, 2025
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2025-20127?

How severe is CVE-2025-20127?

CVE-2025-20127 has a CVSS score of 7.7/10 (HIGH severity). The EPSS model estimates a 0.58% probability of exploitation in the next 30 days.

How do I fix CVE-2025-20127?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2025-20127?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST