A essential safety vulnerability affecting Cisco Meraki MX and Z Collection units may permit unauthenticated attackers to launch denial of service (DoS) assaults towards AnyConnect VPN companies.
The vulnerability, tracked as CVE-2025-20271 with a CVSS rating of 8.6, was printed on June 18, 2025, and poses vital dangers to organizations counting on these units for safe distant entry.
Cisco Meraki AnyConnect VPN DoS Flaw
The vulnerability stems from variable initialization errors that happen when SSL VPN classes are established on affected units.
Attackers can exploit this flaw by sending a sequence of crafted HTTPS requests to susceptible Cisco Meraki MX and Z Collection units working AnyConnect VPN with shopper certificates authentication enabled.
The weak spot is assessed beneath CWE-457, indicating improper initialization of variables in the course of the connection course of.
When efficiently exploited, the vulnerability causes the Cisco AnyConnect VPN server to restart, instantly terminating all established SSL VPN classes and forcing distant customers to re-authenticate.
A sustained assault may successfully render the AnyConnect VPN service fully unavailable, stopping professional customers from establishing new connections.
This assault vector requires no authentication and will be executed remotely over the community, making it significantly harmful for uncovered programs.
The Cisco Product Safety Incident Response Group (PSIRT) found this vulnerability throughout a help case decision and experiences no present public exploitation makes an attempt.
Threat FactorsDetailsAffected ProductsMeraki MX Collection: MX64, MX64W, MX65, MX65W, MX67, MX67C, MX67W, MX68, MX68CW, MX68W, MX75, MX84, MX85, MX95, MX100, MX105, MX250, MX400, MX450, MX600, vMX; Z Collection: Z3, Z3C, Z4, Z4C.ImpactComplete VPN service disruptionExploit Prerequisites1. Consumer certificates authentication enabled in AnyConnect VPN configuration.2. Susceptible firmware variations (MX: 16.2+; MX64/MX65: 17.6+).3. Publicity of VPN listener port (TCP/443) to attacker community paths.CVSS 3.1 Score8.6 (Excessive)
Affected Merchandise
The vulnerability impacts a variety of Cisco Meraki units, together with MX64, MX64W, MX65, MX65W, MX67, MX67C, MX67W, MX68, MX68CW, MX68W, MX75, MX84, MX85, MX95, MX100, MX105, MX250, MX400, MX450, MX600, vMX, Z3, Z3C, Z4, and Z4C fashions.
Nonetheless, units are solely susceptible in the event that they run susceptible Cisco Meraki MX firmware releases and have AnyConnect VPN with shopper certificates authentication particularly enabled.
Cisco AnyConnect VPN help requires MX firmware releases 16.2 and later, with MX64 and MX65 fashions requiring firmware 17.6 or later.
Organizations can confirm their publicity by checking the AnyConnect Settings tab of their Dashboard and confirming whether or not certificates authentication is enabled.
Mitigations
Cisco has launched software program updates addressing this vulnerability throughout a number of firmware branches, together with fixes in variations 18.107.13, 18.211.6, and 19.1.8.
No workarounds can be found, making patching the one efficient mitigation technique. Notably, Cisco Meraki MX400 and MX600 fashions is not going to obtain fixes as they’ve entered end-of-life standing.
Safety groups should now develop vulnerability monitoring past conventional community perimeters. The convergence of cloud-managed {hardware} (Meraki) with core safety infrastructure (VPNs) creates novel assault surfaces requiring built-in protection methods.
Dwell Credential Theft Assault Unmask & Immediate Protection – Free Webinar
