#VU111273 Use of Uninitialized Variable in Meraki MX - CVE-2025-20271
Published: June 18, 2025
Vulnerability identifier: #VU111273
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2025-20271
CWE-ID: CWE-457
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Meraki MX
Meraki MX
Software vendor:
Cisco Systems, Inc
Cisco Systems, Inc
Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to use of an uninitialized variable when an SSL VPN session is established in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices. A remote non-authenticated attacker can send a sequence of crafted HTTPS requests to an affected device and force remote clients to initiate a new VPN connection and re-authenticate, resulting in a denial of service condition.
Successful exploitation of the vulnerability requires use of client certificate authentication.
Remediation
Install updates from vendor's website.