BURSTCritical security flaw CVE-2025-20217 allows unauthenticated attackers to trigger denial-of-service conditions in Cisco’s widely deployed firewall systems
Cisco has disclosed a high-severity vulnerability in its Secure Firewall Threat Defense (FTD) Software that could allow remote attackers to cause denial-of-service conditions through the Snort 3 Detection Engine.
The vulnerability, tracked as CVE-2025-20217 with a CVSS score of 8.6, was published on August 14, 2025, as part of Cisco’s semiannual security advisory bundle.
The flaw exists in the packet inspection functionality of the Snort 3 Detection Engine, a core component responsible for analyzing and filtering network traffic for threats.
The vulnerability stems from incorrect processing of traffic during packet inspection, creating a critical weakness in devices running vulnerable versions of Cisco Secure FTD Software with Snort 3 enabled.
According to Cisco’s advisory, an unauthenticated, remote attacker can exploit this vulnerability by sending crafted traffic through the affected device.
The improper handling of these specially crafted packets causes the affected device to enter an infinite loop while inspecting traffic, resulting in a denial-of-service condition.
The vulnerability is classified under CWE-835 (Loop with Unreachable Exit Condition), indicating a fundamental flaw in the detection engine’s logic.
Snort 3 Detection Engine Vulnerability
When successfully exploited, the vulnerability causes the Snort process to become trapped in an infinite loop, effectively stopping all traffic inspection until the system watchdog detects the issue and automatically restarts the Snort process. This creates a temporary but significant security gap during which malicious traffic could pass through undetected.
The attack requires no authentication and can be executed remotely, making it particularly dangerous for internet-facing Cisco FTD devices. While the system watchdog provides automatic recovery by restarting the Snort process, the temporary loss of inspection capabilities could be exploited by sophisticated attackers to launch coordinated attacks.
The vulnerability impacts Cisco devices running vulnerable releases of Cisco Secure FTD Software with an intrusion policy enabled that has the Snort 3 engine running. Organizations must verify that Snort 3 is actively running on their systems, as the vulnerability cannot be exploited if Snort 3 is not active.
Cisco has confirmed that several products are not affected by this vulnerability, including Cisco Secure Firewall Adaptive Security Appliance (ASA) Software, Cisco Secure Firewall Management Center (FMC) Software, and both Open Source Snort 2 and Snort 3 Software.
Unlike many security vulnerabilities, Cisco has explicitly stated that no workarounds are available to address this issue. This leaves organizations with only one option: applying the software updates released by Cisco. The company has released free software updates that completely address the vulnerability.
This vulnerability adds to a growing list of security issues affecting Cisco’s firewall and VPN products. Recent months have seen multiple high-severity flaws disclosed, including CVE-2025-20265 (CVSS 10.0) affecting Secure Firewall Management Center and several other denial-of-service vulnerabilities in ASA and FTD products.
Security researchers have noted that Cisco has a history of vulnerabilities in its Snort detection engine and FTD product line, including multiple denial-of-service vulnerabilities related to packet inspection and traffic handling.
While Cisco typically responds with prompt advisories and patches, the recurring nature of these issues underscores the importance of timely patch management for organizations relying on Cisco security products.
As of the publication date, the Cisco Product Security Incident Response Team (PSIRT) reported that it is not aware of any public announcements or malicious use of the vulnerability.
The vulnerability was discovered during the resolution of a Cisco Technical Assistance Center (TAC) support case rather than through external threat intelligence.
Given the remote, unauthenticated nature of the attack vector and the critical role that Cisco FTD devices play in enterprise network security, security experts are advising organizations to prioritize patching efforts.
The temporary loss of traffic inspection capabilities during exploitation could provide attackers with windows of opportunity to infiltrate networks or exfiltrate data undetected.
Organizations using Cisco Secure Firewall Threat Defense Software are strongly advised to immediately assess their exposure using Cisco’s Software Checker tool and apply the available security updates to prevent potential exploitation of this critical vulnerability.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
The post Cisco Secure Firewall Snort 3 Detection Engine Vulnerability Enables DoS Attacks appeared first on Cyber Security News.