High-Severity Cisco ISE Flaw (CVE-2025-20343) Allows Unauthenticated DoS via Crafted RADIUS Requests

Cisco has released a security update to address a high-severity vulnerability (CVE-2025-20343, CVSS 8.6) affecting its Identity Services Engine (ISE) — a core network access control platform used by enterprises to authenticate and manage connected devices. The flaw could allow unauthenticated remote attackers to trigger unexpected system restarts, resulting in a denial-of-service (DoS) condition.

According to Cisco’s advisory, “A vulnerability in the RADIUS setting ‘Reject RADIUS requests from clients with repeated failures’ on Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to cause Cisco ISE to restart unexpectedly.”

The issue arises from a logic error in Cisco ISE’s RADIUS access request processing, specifically when the system handles connection attempts from MAC addresses already marked as rejected endpoints.

Cisco explained that “this vulnerability is due to a logic error when processing a RADIUS access request for a MAC address that is already a rejected endpoint.” An attacker could exploit the flaw by sending a sequence of crafted RADIUS access request messages, causing the ISE server to crash and restart repeatedly, leading to service interruptions.

If exploited successfully, this bug would not allow remote code execution or data theft — but it could disable network access controls, disrupting enterprise authentication systems and connected user sessions.

The vulnerability affects Cisco ISE releases 3.4.0, 3.4 Patch 1, 3.4 Patch 2, and 3.4 Patch 3, all of which have the “Reject RADIUS requests from clients with repeated failures” setting enabled by default.

Earlier and later versions, including ISE 3.3 and earlier and ISE 3.5, are not affected.

Cisco advises administrators to disable the affected configuration as an immediate workaround until systems can be patched.

To mitigate risk, Cisco recommends temporarily unchecking the setting via the web interface:

1. Navigate to Administration > System > Settings > Protocols > RADIUS
2. Go to the Suppress Repeated Failed Clients and Repeated Accounting section
3. Uncheck “Reject RADIUS requests from clients with repeated failures”

Cisco cautions that disabling the feature could reduce protection against repeated authentication attempts but confirms this is safe until the patch is applied.

The issue is fully resolved in Cisco ISE 3.4 Patch 4, with no impact to newer versions. Cisco emphasizes that customers should upgrade to the fixed software release as soon as possible to eliminate exposure to this denial-of-service condition.

Related Posts:

• Mark Zuckerberg & Meta Directors Settle $8 Billion Privacy Lawsuit Over Cambridge Analytica
• Urgent: Cisco ISE Flaws (CVSS 10.0) Actively Exploited in the Wild – Patch Immediately!
• Critical Cisco ISE Cloud Vulnerability (CVSS 9.9) with PoC Exploit Threatens AWS, Azure, OCI
• PyPI Rejects Malicious ZIP Archives to Block “Parser Confusion” Attacks
• Cisco Confirms Critical RADIUS Protocol Vulnerability in Multi Products: Patch Now!