The Meraki bug, tracked as CVE-2025-20212, was discovered in the AnyConnect VPN server, and was the result of a variable not being initialized when establishing an SSL VPN session. An attacker with valid VPN user credentials could supply crafted attributes when the SSL VPN session was established, to cause the AnyConnect VPN server to restart, forcing remote users to initiate new VPN connections. Meraki MX firmware releases 18.107.12, 18.211.4, and 19.1.4 address the security defect. Devices running firmware versions 16.2 and 17 should be upgraded to a patched release, but earlier firmware releases are not affected. The second DoS flaw resolved on Wednesday, tracked as CVE-2025-20139, affects the chat messaging features of ECE and could be exploited remotely, without authentication.

‍