—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Network Address Translation DNS Inspection Denial of Service Vulnerability in CISCO 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

Cisco Secure Firewall ASA Software or Secure FTD Software

Overview

A vulnerability has been reported in the function that performs IPv4 and IPv6 Network Address Translation (NAT) DNS inspection for Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition.

Target Audience: 

All IT administrators and individuals responsible for maintaining and updating Cisco Secure Firewall ASA Software and Secure FTD Software.

Risk Assessment:

High risk of data manipulation and service disruption.

Impact Assessment:

Potential impact on confidentiality, integrity, and availability of the system.

Description

This vulnerability exists due to an infinite loop condition that occurs when a Cisco Secure ASA or Cisco Secure FTD device processes DNS packets with DNS inspection enabled and the device is configured for NAT44, NAT64, or NAT46. An attacker could exploit this vulnerability by sending crafted DNS packets that match a static NAT rule with DNS inspection enabled through an affected device.

Successful exploitation of this vulnerability could allow the attacker to create an infinite loop and cause the device to reload, resulting in a DoS condition.

Solution

Apply appropriate updates as mentioned in Cisco Advisory

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-nat-dns-dos-bqhynHTM

Vendor Information

CISCO

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-nat-dns-dos-bqhynHTM

References

CISCO

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-nat-dns-dos-bqhynHTM

CVE Name

CVE-2025-20136

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmip1WIACgkQ3jCgcSdc

ys+gAw/+I8K17kMa/p9Kg9YQDoRzmMpwSdyrBZB4h+/Wim3OCibQUlC6duSJxICE

KYJwFQ9VELSWsWx5ECC8VZBcQhfnUehX1S9VmFe7BEMMnQZs6yKn0ZTF2rdOCthH

0Y5vH9YdwU/t7P3sLKFcdIQXsV/iY7QRzKp8XXfESgqrnegXCIHYoCDN4nrUSD3k

fC3k6LOQE6xdTHon1c0UhgK1eHqpm+qvOHjN2GkmUG7JhznIxB0+jkrEO2rLbUKC

SdcA5YijPloehqlCPUrVUUc4W3bRv3PksGtnr3+KyqbQp+3L11lh+ulGclpyvmbY

AZVyWZBLXHpw+QEoFvFUwHWVnRpBwC6SfE2p0vNrQrLIrtOcGaEnn5y7jpOH5bsW

I0Lm2UcJfmHe6MpV93GFOZb00KNg4gHL7twE9S66/eeS/WwhNng4cZLB9XFkgi/X

qWiPj6c9Gr/FlBWSrRmFAnMvxbl2D+/8MWoG8TzB602oDUfOdHIUUbpxVh2garvz

4ghYtEeabnpqmVPiXhRuDYkceA3T9ceFPYBsAOG3jW3TcNaYXfcXY2Tutv/5PaZJ

sqZ7oSAbSLV7Qfj4g7S97hDQfDIHKhMcscxN6CgnNvzHgG3h/3xqgohp3Wbr5o/l

ZkQWJRVIzhfyjN8woXaE6L3I3otT/CIJ8NYSzdLG2O0dNUaYXv0=

=1DKf

—–END PGP SIGNATURE—–