Cisco Meraki MX and Z: Attackers can interrupt VPN connections
Security updates close gaps in Cisco Meraki MX and Z and the ClamAV virus scanner. DoS attacks are possible in both cases.
(Image: heise online)
The Cisco AnyConnect VPN server of Cisco Meraki MX and Z is vulnerable. Attackers can also exploit a vulnerability in ClamAV. Security patches are available for download. There have been no reports of attacks to date.
DoS state
In a warning message, the developers explain that errors occur during the initialization of VPN sessions, which attackers can exploit with prepared HTTPS requests. This leads to a restart of the VPN server and an interruption of the connection. As a result, users have to reconnect. According to Cisco, attackers can carry out the attack again and again, which can lead to a permanent interruption. The vulnerability (CVE-2025-20271) is classified as a “high” threat level.
The following products are said to be affected:
- MX64
- MX64W
- MX65
- MX65W
- MX67
- MX67C
- MX67W
- MX68
- MX68CW
- MX68W
- MX75
- MX84
- MX85
- MX95
- MX100
- MX105
- MX250
- MX400
- MX450
- MX600
- vMX
- Z3
- Z3C
- Z4
- Z4C
The developers state that they have solved the security problem in versions 18.107.13, 18.211.6 and 19.1.8. The problem occurs from version 16.2 onwards. As support for 16.2 and 17.6 has already expired, admins must upgrade to a current version.
ClamAV is also vulnerable to a DoS attack. The vulnerability(CVE-2025-20234 “medium”) is in the processing of the Universal Disk Format (UDF). If ClamAV scans prepared UDF content, memory errors occur and the scanner crashes. As a result, appliances no longer have any virus protection.
Videos by heise
The network supplier claims to have closed the vulnerability in the following releases:
- Secure Endpoint Connector for Linux 1.26.1
- Secure Endpoint Connector for Mac 1.26.1
- Secure Endpoint Connector for Windows 7.5.21, 8.4.5
- Secure Endpoint Private Cloud 4.2.2 (or earlier with updated connectors)
(des)
