CVE Alert: CVE-2025-20343 – Cisco – Cisco Identity Services Engine Software
CVE-2025-20343
A vulnerability in the RADIUS setting Reject RADIUS requests from clients with repeated failures on Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to cause Cisco ISE to restart unexpectedly. This vulnerability is due to a logic error when processing a RADIUS access request for a MAC address that is already a rejected endpoint. An attacker could exploit this vulnerability by sending a specific sequence of multiple crafted RADIUS access request messages to Cisco ISE. A successful exploit could allow the attacker to cause a denial of service (DoS) condition when Cisco ISE restarts.
AI Summary Analysis
**Risk verdict** High risk DoS vulnerability in Cisco ISE Radius handling could trigger an unexpected restart and service disruption; there is no publicly observed exploitation reported yet, but the exposure is real for networks relying on ISE for RADIUS.
**Why this matters** An attacker could disrupt network access and NAC enforcement, affecting wired and wireless authentication across campuses and remote sites. Recovery requires ISE restart and potential reconfiguration, impacting availability and user productivity during outages.
**Most likely attack path** An external attacker on the network can send crafted RADIUS requests with no authentication and low complexity. The flaw stems from logic handling a MAC address that is already rejected, so a rapid sequence of requests could force an ISE restart (scope change), leading to denial of service and potential knock-on outages beyond the initial target.
**Who is most exposed** Enterprise deployments using Cisco ISE 3.4.x for 802.1X, VPN, or other RADIUS-based access controls—especially in large campuses or distributed sites with multiple ISE nodes.
Detection ideas
- Alerts for unexpected ISE process restarts or crash events
- CPU/memory spikes correlated with bursts of RADIUS traffic
- Authentication outages or spike in RADIUS failure logs
- RADIUS logs showing repeated crafted access attempts or abnormal request patterns
- Correlation with maintenance windows or quick failover events
Mitigation and prioritisation
- Apply the Cisco advisory and upgrade to the fixed ISE release; review the vendor’s patch guidance.
- Implement RADIUS traffic controls: rate-limit or filter traffic from untrusted segments where feasible.
- Ensure high-availability deployment with validated failover and tested recovery procedures.
- Perform controlled patch testing in a lab and schedule a maintenance window for production upgrade.
- Monitor for early indicators post-patch and verify service stability; treat as a priority due to DoS potential when exposed.
Support Our Work
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.
