Cisco and Atlassian on Wednesday announced the rollout of patches for multiple high-severity vulnerabilities in their products, many leading to denial-of-service (DoS) conditions.
Cisco released firmware updates for Meraki devices to resolve a high-severity flaw allowing attackers to cause the AnyConnect VPN server on these products to restart, leading to a DoS condition. Tracked as CVE-2025-20271 (CVSS score of 8.6), the bug can be exploited remotely.
“This vulnerability is due to variable initialization errors when an SSL VPN session is established. […] A sustained attack could prevent new SSL VPN connections from being established, effectively making the Cisco AnyConnect VPN service unavailable for all legitimate users,” Cisco explains.
The security defect impacts roughly two dozen Meraki MX and Meraki Z devices and was resolved in Meraki MX firmware versions 18.107.13, 18.211.6, and 19.1.8.
The company also rolled out fixes for a DoS bug in the Universal Disk Format (UDF) processing of ClamAV. Tracked as CVE-2025-20234, it can be exploited by submitting crafted files containing UDF content to the ClamAV, the company notes.
Cisco says it is not aware of any of these vulnerabilities being exploited in the wild, but users are advised to apply the available patches as soon as possible.
Atlassian announced patches for five vulnerabilities in third-party dependencies in Bamboo, Bitbucket, Confluence, Crowd, and Jira.
These include CVE-2025-22228 (an improper authorization in Spring), CVE-2025-24970 (a DoS flaw in the Netty framework), CVE-2024-38816 (a path traversal related to the WebMvc.fn and WebFlux.fn web frameworks), CVE-2024-57699 (a DoS bug in Netplex Json-smart), and CVE-2025-31650 (DoS in Apache Tomcat).
To resolve these issues, Atlassian released software updates for Bamboo Data Center and Server, Bitbucket Data Center and Server, Confluence Data Center and Server, Crowd Data Center and Server, Jira Data Center and Server, and Jira Service Management Data Center and Server.
Users are advised to update their instances as soon as possible, even if Atlassian makes no mention of any of these security defects being exploited.
Related: Critical Vulnerability Patched in Citrix NetScaler
Related: Code Execution Vulnerabilities Patched in Veeam, BeyondTrust Products
Related: High-Severity Vulnerabilities Patched in Tenable Nessus Agent
Related: Palo Alto Networks Patches Privilege Escalation Vulnerabilities
