CVE-2025-20135 is a medium severity vulnerability affecting the DHCP client functionality in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software. The root cause is improper validation of incoming DHCPv4 packets, which allows an unauthenticated attacker located on an adjacent network segment to repeatedly send specially crafted DHCP packets. This triggers a memory exhaustion condition on the affected device because the software fails to properly release allocated memory after its effective lifetime. The consequence is a denial of service (DoS) condition where the device's available memory is depleted, preventing new processes from starting and impacting service availability. Recovery requires a manual reboot of the device. Notably, on Cisco Secure FTD Software, management interfaces are not affected by this vulnerability. The vulnerability affects a wide range of Cisco ASA software versions, spanning from older releases like 9.8.1 to recent ones such as 9.22.1.2, indicating a long-standing issue across multiple versions. The CVSS v3.1 score is 4.3, reflecting a medium severity with an attack vector of adjacent network, low attack complexity, no privileges required, no user interaction, and impact limited to availability only. There are no known exploits in the wild at the time of publication, and no patches or mitigations are explicitly listed in the provided data. This vulnerability primarily threatens the availability of Cisco ASA and FTD devices by enabling an attacker to cause a DoS through memory exhaustion via crafted DHCP traffic on adjacent networks.

For European organizations, this vulnerability poses a significant risk to network security infrastructure relying on Cisco ASA and FTD devices for firewalling and threat defense. Since these devices are critical for perimeter security, their unavailability due to a DoS attack could disrupt business operations, impede secure network access, and potentially expose internal networks to further threats. The requirement for the attacker to be on an adjacent network segment somewhat limits remote exploitation but does not eliminate risk within segmented or poorly isolated network environments, such as branch offices or partner networks. The manual reboot requirement to recover from the DoS condition could lead to extended downtime, especially in environments with limited on-site technical staff or where high availability configurations are not in place. Additionally, the broad range of affected versions suggests many organizations may be running vulnerable software, increasing the attack surface. European entities in sectors with stringent uptime and security requirements, such as finance, healthcare, and critical infrastructure, could face operational and compliance challenges if this vulnerability is exploited. The lack of impact on management interfaces in FTD software somewhat mitigates risk for administrative access but does not prevent service disruption.

European organizations should prioritize the following specific mitigation steps: 1) Conduct an immediate inventory of Cisco ASA and FTD devices to identify affected software versions. 2) Engage with Cisco's official security advisories and support channels to obtain and apply any available patches or software updates addressing this vulnerability as soon as they are released. 3) Implement network segmentation best practices to restrict DHCP traffic to trusted segments and limit exposure of ASA/FTD DHCP clients to untrusted adjacent networks. 4) Employ DHCP snooping and filtering on switches to block malicious or malformed DHCP packets from reaching firewall devices. 5) Monitor network traffic for unusual DHCP packet patterns indicative of exploitation attempts. 6) Prepare incident response plans that include rapid detection and manual reboot procedures to minimize downtime if a DoS occurs. 7) Consider deploying redundant firewall appliances or high-availability configurations to maintain service continuity during potential attacks. 8) Review and harden firewall configurations to minimize unnecessary DHCP client usage on ASA/FTD devices where possible. These targeted actions go beyond generic advice by focusing on controlling DHCP traffic exposure and operational readiness for recovery.