Cisco on Wednesday announced fixes for two high-severity denial-of-service (DoS) vulnerabilities impacting its Meraki MX and Meraki Z series devices and Enterprise Chat and Email (ECE) appliances.
The Meraki bug, tracked as CVE-2025-20212, was discovered in the AnyConnect VPN server, and was the result of a variable not being initialized when establishing an SSL VPN session.
An attacker with valid VPN user credentials could supply crafted attributes when the SSL VPN session was established, to cause the AnyConnect VPN server to restart, forcing remote users to initiate new VPN connections.
“A sustained attack could prevent new SSL VPN connections from being established,” Cisco explains, adding that the server would automatically recover when the attack stops.
Meraki MX firmware releases 18.107.12, 18.211.4, and 19.1.4 address the security defect. Devices running firmware versions 16.2 and 17 should be upgraded to a patched release, but earlier firmware releases are not affected.
The second DoS flaw resolved on Wednesday, tracked as CVE-2025-20139, affects the chat messaging features of ECE and could be exploited remotely, without authentication.
Improper validation of user-supplied input, the tech giant explains, could allow an attacker to send malicious requests to a chat entry point and cause the application to stop responding.
“The application may not recover on its own and may need an administrator to manually restart services to recover,” the company notes.
While default ECE configurations are not affected by this flaw, instances that have the chat feature enabled and an entry point configured are vulnerable, Cisco says.
Fixes for the bug were included in Cisco ECE version 12.6 ES 10. Users of earlier releases are advised to migrate to a patched version.
Cisco also released patches for two medium-severity vulnerabilities in the web-based management interface of Evolved Programmable Network Manager (EPNM) and Prime Infrastructure that could lead to remote, unauthenticated cross-site scripting (XSS) attacks. Both issues are the result of improperly validated user-supplied input.
The tech giant says it is not aware of any of these vulnerabilities being exploited in attacks, but users are advised to apply the available patches as soon as possible. Additional information can be found on Cisco’s security advisories page.
On Wednesday, the company updated its advisory for two critical security defects in Smart Licensing Utility that could allow attackers to log in with administrative privileges and obtain log files, respectively, to warn of their in-the-wild exploitation.
Tracked as CVE-2024-20439 and CVE-2024-20440, the flaws were patched in September 2024, and threat actors started exploiting them in attacks in March 2025.
Related: Cisco Patches 10 Vulnerabilities in IOS XR
Related: Cisco Patches Vulnerabilities in Nexus Switches
Related: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks
Related: Cisco Patches Critical Vulnerabilities in Enterprise Security Product
