SB2025061846 - Remote denial of service in Cisco Meraki MX and Z Series AnyConnect VPN

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025061846

SB2025061846 - Remote denial of service in Cisco Meraki MX and Z Series AnyConnect VPN

Published: June 18, 2025

Security Bulletin ID SB2025061846
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Partial DoS

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Use of Uninitialized Variable (CVE-ID: CVE-2025-20271)

CWE-ID: CWE-457 - Use of Uninitialized Variable

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to use of an uninitialized variable when an SSL VPN session is established in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices. A remote non-authenticated attacker can send a sequence of crafted HTTPS requests to an affected device and force remote clients to initiate a new VPN connection and re-authenticate, resulting in a denial of service condition. 

Successful exploitation of the vulnerability requires use of client certificate authentication.


Remediation

Install update from vendor's website.

References