CVE-2022-20742

HIGH

Cisco Adaptive Security Appliance and Firepower Threat Defense - Missing Cryptographic Step in IPsec IKEv2 VPN Tunnel

Title source: llm

Description

A vulnerability in an IPsec VPN library of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to read or modify data within an IPsec IKEv2 VPN tunnel. This vulnerability is due to an improper implementation of Galois/Counter Mode (GCM) ciphers. An attacker in a man-in-the-middle position could exploit this vulnerability by intercepting a sufficient number of encrypted messages across an affected IPsec IKEv2 VPN tunnel and then using cryptanalytic techniques to break the encryption. A successful exploit could allow the attacker to decrypt, read, modify, and re-encrypt data that is transmitted across an affected IPsec IKEv2 VPN tunnel.

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory x_refsource_cisco

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ipsec-mitm-CKnLr4

Scores

CVSS v3 7.4

EPSS 0.0013

EPSS Percentile 32.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-325

Status published

Products (3)

cisco/adaptive_security_appliance_software < 9.12.4.38

cisco/firepower_threat_defense 7.1.0

cisco/firepower_threat_defense < 6.4.0.15

Published May 03, 2022

Tracked Since Feb 18, 2026