Critical Cisco AnyConnect VPN Vulnerability Exposes Meraki Devices to DoS Attacks

Cisco Meraki Devices Vulnerable to Denial-of-Service (DoS) Due to AnyConnect VPN Flaw

Cisco has revealed a critical security vulnerability in its AnyConnect VPN service for Meraki MX and Z Series devices, which could enable authenticated remote attackers to launch denial-of-service (DoS) attacks. The vulnerability, tracked as CVE-2025-20212, stems from the improper initialization of a variable during SSL VPN session establishment. This flaw could disrupt VPN services and affect businesses relying on these devices for remote access.

Vulnerability Overview

The issue arises when an attacker, armed with valid VPN credentials, manipulates session attributes during the SSL handshake process. Exploiting this vulnerability causes the Cisco AnyConnect VPN service to restart, terminating active connections and preventing new sessions from being established. While the service will automatically recover once the attack ceases, sustained exploitation can lead to prolonged outages and disruptions for remote workers.

Affected Devices

This flaw impacts over 20 Meraki devices, including the MX64, MX65, MX67, MX68, MX75, MX84, MX95, MX100, and various Z Series models such as Z3, Z3C, Z4, and Z4C. Specifically, devices running Meraki MX firmware 16.2 or later with Cisco AnyConnect VPN enabled are at risk. Notably, MX64 and MX65 models are only affected if running firmware versions 17.6 and higher, while older devices like MX400 and MX600 will not receive patches due to their end-of-life status.

Exploitation and Impact

The vulnerability allows an attacker to disrupt established VPN sessions by forcing the VPN server to restart. This forces users to reconnect and reauthenticate, potentially causing severe downtime if exploited repeatedly. While the vulnerability does not compromise confidentiality or integrity, its impact on service availability can be significant. Attackers must have valid VPN credentials and network access to exploit the flaw.

Mitigation and Fixes

Cisco has issued firmware updates to address the vulnerability, and administrators are strongly advised to update affected devices to the following fixed releases:

• 18.1: Version 18.107.12

• 18.2: Version 18.211.4

• 19.1: Version 19.1.4

For affected models, there are no workarounds; upgrading to a fixed release is the only solution. Cisco also recommends monitoring VPN logs for unusual patterns of reconnections or service interruptions, as these could indicate ongoing exploitation.

Security Best Practices

Network administrators should verify if Cisco AnyConnect VPN is enabled by navigating to the Meraki Dashboard under "Security & SD-WAN" or "Teleworker Gateway," depending on the device. If the AnyConnect settings are enabled, administrators should immediately plan and implement updates to secure their devices.

Additionally, organizations must ensure that their systems meet the minimum memory and hardware requirements for the latest firmware versions to prevent operational issues post-update.

Conclusion

This vulnerability highlights the complexities of securing VPN services, especially in enterprise environments where remote work and secure access are essential. With no workarounds available, it is critical for affected organizations to prioritize firmware updates to ensure the continued security and availability of their network infrastructure.