BURSTA critical security vulnerability affecting Cisco Meraki MX and Z Series devices could allow unauthenticated attackers to launch denial of service (DoS) attacks against AnyConnect VPN services.
The vulnerability, tracked as CVE-2025-20271 with a CVSS score of 8.6, was published on June 18, 2025, and poses significant risks to organizations relying on these devices for secure remote access.
Cisco Meraki AnyConnect VPN DoS Flaw
The vulnerability stems from variable initialization errors that occur when SSL VPN sessions are established on affected devices.
Attackers can exploit this flaw by sending a sequence of crafted HTTPS requests to vulnerable Cisco Meraki MX and Z Series devices running AnyConnect VPN with client certificate authentication enabled.
The weakness is classified under CWE-457, indicating improper initialization of variables during the connection process.
When successfully exploited, the vulnerability causes the Cisco AnyConnect VPN server to restart, immediately terminating all established SSL VPN sessions and forcing remote users to re-authenticate.
A sustained attack could effectively render the AnyConnect VPN service completely unavailable, preventing legitimate users from establishing new connections.
This attack vector requires no authentication and can be executed remotely over the network, making it particularly dangerous for exposed systems.
The Cisco Product Security Incident Response Team (PSIRT) discovered this vulnerability during a support case resolution and reports no current public exploitation attempts.
| Risk Factors | Details |
| Affected Products | Meraki MX Series: MX64, MX64W, MX65, MX65W, MX67, MX67C, MX67W, MX68, MX68CW, MX68W, MX75, MX84, MX85, MX95, MX100, MX105, MX250, MX400, MX450, MX600, vMX; Z Series: Z3, Z3C, Z4, Z4C. |
| Impact | Complete VPN service disruption |
| Exploit Prerequisites | 1. Client certificate authentication enabled in AnyConnect VPN configuration. 2. Vulnerable firmware versions (MX: 16.2+; MX64/MX65: 17.6+). 3. Exposure of VPN listener port (TCP/443) to attacker network paths. |
| CVSS 3.1 Score | 8.6 (High) |
Affected Products
The vulnerability impacts a wide range of Cisco Meraki devices, including MX64, MX64W, MX65, MX65W, MX67, MX67C, MX67W, MX68, MX68CW, MX68W, MX75, MX84, MX85, MX95, MX100, MX105, MX250, MX400, MX450, MX600, vMX, Z3, Z3C, Z4, and Z4C models.
However, devices are only vulnerable if they run vulnerable Cisco Meraki MX firmware releases and have AnyConnect VPN with client certificate authentication specifically enabled.
Cisco AnyConnect VPN support requires MX firmware releases 16.2 and later, with MX64 and MX65 models requiring firmware 17.6 or later.
Organizations can verify their exposure by checking the AnyConnect Settings tab in their Dashboard and confirming whether certificate authentication is enabled.
Mitigations
Cisco has released software updates addressing this vulnerability across multiple firmware branches, including fixes in versions 18.107.13, 18.211.6, and 19.1.8.
No workarounds are available, making patching the only effective mitigation strategy. Notably, Cisco Meraki MX400 and MX600 models will not receive fixes as they have entered end-of-life status.
Security teams must now expand vulnerability monitoring beyond traditional network perimeters. The convergence of cloud-managed hardware (Meraki) with core security infrastructure (VPNs) creates novel attack surfaces requiring integrated defense strategies.
Live Credential Theft Attack Unmask & Instant Defense – Free Webinar
The post Cisco AnyConnect VPN Server Vulnerability Let Attackers Trigger DoS Attack appeared first on Cyber Security News.