Cisco has disclosed a critical vulnerability in its Meraki MX and Z Series devices that could allow remote attackers to disrupt VPN services and force users offline.
The security vulnerability, tracked as CVE-2025-20271 with a CVSS score of 8.6, affects the AnyConnect VPN server component when client certificate authentication is enabled.
The vulnerability stems from variable initialization errors during SSL VPN session establishment and could result in widespread service disruption for organizations relying on these network security appliances.
The newly identified security weakness resides in the Cisco AnyConnect VPN server’s handling of SSL VPN session establishment processes.
Attackers can exploit this vulnerability by sending carefully crafted HTTPS requests to vulnerable devices without requiring authentication.
When successfully exploited, the vulnerability causes the AnyConnect VPN server to restart unexpectedly, immediately terminating all active SSL VPN connections and forcing legitimate users to reconnect and re-authenticate.
The denial of service condition becomes particularly problematic when attackers launch sustained attacks, as continuous exploitation can prevent new SSL VPN connections from being established entirely.
This effectively renders the AnyConnect VPN service unavailable for all users, creating significant operational disruptions for organizations that depend on secure remote access capabilities.
The vulnerability specifically affects devices running Cisco Meraki MX firmware version 16.2 and later, with MX64 and MX65 models requiring firmware version 17.6 or later to support AnyConnect VPN functionality.
Cisco AnyConnect VPN Vulnerability
The vulnerability impacts a comprehensive range of Cisco Meraki products, including multiple MX Series models from MX64 through MX600, virtual MX appliances, and Z Series Teleworker Gateway devices.
However, only devices with both AnyConnect VPN enabled and client certificate authentication configured are susceptible to attack.
Organizations can determine their exposure by accessing the Meraki Dashboard and checking the AnyConnect Settings configuration under the Client VPN section.
Notably, devices configured exclusively with Client VPN using L2TP or IPsec protocols remain unaffected, as the vulnerability specifically targets SSL VPN session handling.
Cisco has confirmed that other product lines, including ASA Software, Firepower Threat Defense, IOS Software, and the Meraki Z1 model, are not vulnerable to this particular security issue.
Immediate Updates
Cisco has released software updates addressing this vulnerability across affected firmware branches, with no available workarounds to mitigate the risk.
Organizations running vulnerable firmware versions must upgrade to fixed releases: version 18.107.13 for the 18.1xx branch, 18.211.6 for 18.2xx releases, and 19.1.8 for version 19.1 deployments.
The company emphasizes that customers should ensure devices contain sufficient memory before upgrading and verify that current configurations will remain supported.
Importantly, Cisco Meraki MX400 and MX600 models, which support only firmware releases 16.16.9 and earlier, have entered end-of-life status and will not receive security patches for this vulnerability.
The Cisco Product Security Incident Response Team discovered this vulnerability during routine support case resolution and reports no evidence of public exploitation or malicious use.
Organizations are advised to prioritize patching efforts and regularly monitor Cisco Security Advisories for updates on this and other security issues affecting their network infrastructure.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?resize=1068,580&ssl=1&description=Cisco has disclosed a critical vulnerability in its Meraki MX and Z Series devices that could allow remote attackers to disrupt VPN services and force users offline.){kind=link}