Summary: Cisco has issued fixes for two high-severity denial-of-service vulnerabilities affecting its Meraki devices and Enterprise Chat and Email (ECE) appliances. The Meraki vulnerability could cause the AnyConnect VPN server to restart, while the ECE flaw could disrupt chat functionalities due to improper input validation. Users are urged to update to patched versions to mitigate potential risks.
Affected: Cisco Meraki MX and Z series devices, Cisco Enterprise Chat and Email (ECE) appliances
Keypoints :
- CVEs addressed: CVE-2025-20212 (Meraki) and CVE-2025-20139 (ECE).
- The Meraki vulnerability allows an attacker with valid VPN credentials to craft SSL VPN session attributes, causing server restarts.
- The ECE flaw permits remote exploitation without authentication, potentially requiring manual service restarts to recover.
- Fixes have been provided in specific firmware releases for Meraki devices and Cisco ECE version 12.6 ES 10.
- Additional patches for medium-severity cross-site scripting vulnerabilities were also released.
Source: https://www.securityweek.com/vulnerabilities-expose-cisco-meraki-and-ece-products-to-dos-attacks/