CISCO-SA-ASA-FTD-IOS-DOS-DOESHWHY

Vulnerable Products:

CVE-2025-20225, CVE-2025-20239, CVE-2025-20253

These vulnerabilities affect the following Cisco products if they have the IKEv2 VPN feature enabled:

IOS Software IOS XE Software Secure Firewall ASA Software Secure FTD Software

Note: The Group Encrypted Transport VPN (GET VPN) feature of Cisco IOS Software and Cisco IOS XE Software is not affected.

For information about which Cisco software releases are vulnerable, see the Fixed Software ["#fs"] section of this advisory.

CVE-2025-20224, CVE-2025-20252, CVE-2025-20254

These vulnerabilities affect the following Cisco products if they have the IKEv2 VPN feature enabled:

Secure Firewall ASA Software Secure FTD Software

For information about which Cisco software releases are vulnerable, see the Fixed Software ["#fs"] section of this advisory. Determine the IKEv2 Configuration When Running Cisco IOS and IOS XE Software To determine the IKEv2 configuration on a Cisco device that is running Cisco IOS Software or Cisco IOS XE Software, use a step-by-step approach to accurately determine the operational status and configuration of the device. The following two-step method determines whether IKEv1 or IKEv2 is enabled on a device and, subsequently, if IKEv2 is actively being used by the device.

Step 1. Determine Whether IKE (v1 or v2) Is Enabled

To determine whether IKE processing is enabled, use the show ip socket | include 500 or show udp | include 500 EXEC command on the device CLI. If UDP port 500 or UDP port 4500 is open on a device, the device is processing IKE packets.

Note: If IKEv1 or IKEv2 is enabled, UDP ports 500 and/or 4500 will be open because both protocols use these ports.

The following example shows the output of the show udp | include 500 command on a device that is processing IKE packets on UDP ports 500 and 4500 that are using either IPv4 or IPv6:

Router#show udp | include 500 17 --listen-- 192.168.1.10 500 0...