Detections
Analytics

Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense Software Network Address Translation DNS Inspection DoS (cisco-sa-asaftd-nat-dns-dos-bqhynHTM)

high Nessus Plugin ID 255231

Language:

Synopsis

The remote device is missing a vendor-supplied security patch

Description

According to its self-reported version, Cisco Adaptive Security Appliance (ASA) Software is affected by a vulnerability.

 - A vulnerability in the function that performs IPv4 and IPv6 Network Address Translation (NAT) DNS inspection for Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to an infinite loop condition that occurs when a Cisco Secure ASA or Cisco Secure FTD device processes DNS packets with DNS inspection enabled and the device is configured for NAT44, NAT64, or NAT46. An attacker could exploit this vulnerability by sending crafted DNS packets that match a static NAT rule with DNS inspection enabled through an affected device. A successful exploit could allow the attacker to create an infinite loop and cause the device to reload, resulting in a DoS condition. (CVE-2025-20136)

Please see the included Cisco BIDs and Cisco Security Advisory for more information.

Solution

Upgrade to the relevant fixed version referenced in Cisco bug IDs CSCwm08231, CSCwm08232

See Also

http://www.nessus.org/u?9ce314a2

http://www.nessus.org/u?8bc70a07

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwm08231

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwm08232

Plugin Details

Severity: High

ID: 255231

File Name: cisco-sa-asaftd-nat-dns-dos-bqhynHTM-asa.nasl

Version: 1.1

Type: local

Family: CISCO

Published: 8/26/2025

Updated: 8/26/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.2

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2025-20136

CVSS v3

Risk Factor: High

Base Score: 8.6

Temporal Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:cisco:adaptive_security_appliance_software

Required KB Items: Host/Cisco/ASA/model

Exploit Ease: No known exploits are available

Patch Publication Date: 8/14/2025

Vulnerability Publication Date: 8/14/2025

Reference Information

CVE: CVE-2025-20136

CWE: 835

CISCO-SA: cisco-sa-asaftd-nat-dns-dos-bqhynHTM

IAVA: 2025-A-0612

CISCO-BUG-ID: CSCwm08231, CSCwm08232