CVE-2025-20212

Name of the Vulnerable Software and Affected Versions Cisco Meraki MX and Cisco Meraki Z Series devices versions MX64, MX64W, MX65, MX65W, MX67, MX67C, MX67W, MX68, MX68CW

Description A vulnerability in the Cisco AnyConnect VPN server could allow an authenticated, remote attacker to cause a denial of service (DoS) condition in the Cisco AnyConnect service on an affected device. The attacker must have valid VPN user credentials on the affected device. This issue exists because a variable is not initialized when an SSL VPN session is established. An attacker could exploit this by supplying crafted attributes while establishing an SSL VPN session. A successful exploit could allow the attacker to cause the Cisco AnyConnect VPN server to restart, resulting in the failure of established SSL VPN sessions and forcing remote users to initiate a new VPN connection and reauthenticate. A sustained attack could prevent new SSL VPN connections from being established.

Recommendations For versions MX64, MX64W, MX65, MX65W, MX67, MX67C, MX67W, MX68, MX68CW, consider disabling the SSL VPN service until a patch is available to prevent exploitation. Restrict access to the Cisco AnyConnect VPN server to minimize the risk of exploitation. Avoid establishing new SSL VPN connections with affected devices until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.