1. Home
  2. CVE Database
  3. CVE-2025-20127
HIGH · 7.7

CVE-2025-20127

A vulnerability in the TLS 1.3 implementation for a specific cipher for Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software for Cis...

Vulnerability Description

A vulnerability in the TLS 1.3 implementation for a specific cipher for Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software for Cisco Firepower 3100 and 4200 Series devices could allow an authenticated, remote attacker to consume resources that are associated with incoming TLS 1.3 connections, which eventually could cause the device to stop accepting any new SSL/TLS or VPN requests. This vulnerability is due to the implementation of the TLS 1.3 Cipher TLS_CHACHA20_POLY1305_SHA256. An attacker could exploit this vulnerability by sending a large number of TLS 1.3 connections with the specific TLS 1.3 Cipher TLS_CHACHA20_POLY1305_SHA256. A successful exploit could allow the attacker to cause a denial of service (DoS) condition where no new incoming encrypted connections are accepted. The device must be reloaded to clear this condition. Note: These incoming TLS 1.3 connections include both data traffic and user-management traffic. After the device is in the vulnerable state, no new encrypted connections can be accepted.

CVSS Score

7.7

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH

Affected Products

VendorProductVersions
CiscoFirepower Threat Defense7.4.0
CiscoSecure Firewall 3105-
CiscoSecure Firewall 3110-
CiscoSecure Firewall 3120-
CiscoSecure Firewall 3130-
CiscoSecure Firewall 3140-
CiscoSecure Firewall 4215-
CiscoSecure Firewall 4225-
CiscoSecure Firewall 4245-
CiscoAdaptive Security Appliance Software9.20.1

Related Weaknesses (CWE)

CWE-404

References

FAQ

What is CVE-2025-20127?

CVE-2025-20127 is a vulnerability with a CVSS score of 7.7 (HIGH). A vulnerability in the TLS 1.3 implementation for a specific cipher for Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software for Cis...

How severe is CVE-2025-20127?

CVE-2025-20127 has been rated HIGH with a CVSS base score of 7.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-20127?

Check the references section above for vendor advisories and patch information. Affected products include: Cisco Firepower Threat Defense, Cisco Secure Firewall 3105, Cisco Secure Firewall 3110, Cisco Secure Firewall 3120, Cisco Secure Firewall 3130.