Cisco has disclosed a critical vulnerability in its Identity Services Engine (ISE) software that could allow attackers to remotely trigger a system restart, leading to a denial-of-service condition.
Identified as CVE-2025-20343, the flaw carries a CVSS base score of 8.6, classifying it as high severity.
The issue stems from a logic error in how ISE handles RADIUS access requests for MAC addresses marked as rejected endpoints due to repeated failures.
This vulnerability was detailed in Cisco’s security advisory published on November 5, 2025, and affects specific versions of the platform widely used for network access control and policy enforcement in enterprise environments.
The bug arises when the “Reject RADIUS requests from clients with repeated failures” setting is enabled, a default configuration introduced in ISE release 3.4.0.
An unauthenticated remote attacker can exploit it by sending a crafted sequence of RADIUS access request messages targeting a rejected endpoint.
This overwhelms the processing logic, causing ISE to restart unexpectedly and disrupt authentication services across the network.
While the vulnerability does not enable data theft or unauthorized access, the potential for repeated restarts could cripple operations in high-traffic setups, such as corporate campuses or data centers reliant on ISE for secure device onboarding.
Vulnerability Technical Details
At its core, CVE-2025-20343 ties to CWE-697, an incorrect comparison logic flaw.
When ISE receives a RADIUS request for a suppressed MAC address, the system fails to properly validate the sequence, leading to an unhandled exception that forces a reboot.
The attack requires no privileges or user interaction, with network accessibility (AV:N) and low complexity (AC:L) making it straightforward for threat actors on the same network segment.
The scope is changed (S:C), amplifying impact as it affects the availability of the entire ISE instance without compromising confidentiality or integrity.
For a clear overview, the following table summarizes key CVE attributes:
| Attribute | Details |
|---|---|
| CVE ID | CVE-2025-20343 |
| CVSS Score | 8.6 (High) – Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H |
| Affected Products | Cisco ISE 3.4.0, 3.4 Patch 1, 3.4 Patch 2, 3.4 Patch 3 (with default RADIUS suppression enabled) |
| Unaffected | ISE 3.3 and earlier; ISE 3.5; ISE Passive Identity Connector (ISE-PIC) |
| Fixed Releases | ISE 3.4 Patch 4 |
| Exploit Prerequisites | Network access to ISE; RADIUS suppression feature enabled |
| Impact | Denial of service via forced restart; no data exposure |
Administrators can verify exposure via the ISE web UI under Administration > System > Settings > Protocols > RADIUS, checking the “Suppress Repeated Failed Clients” section.
Mitigation and Recommendations
Cisco urges immediate upgrades to ISE 3.4 Patch 4 or later for vulnerable releases, with detailed upgrade guides available on their support site.
As a temporary workaround, disable the “Reject RADIUS requests from clients with repeated failures” checkbox in the RADIUS settings.
This reduces risk but may allow more failed authentication attempts, so re-enable it post-upgrade to maintain security posture.
The vulnerability was uncovered through a Technical Assistance Center support case, with no known public exploits or announcements at this time.
Organizations using ISE should audit configurations promptly, especially in segmented networks where RADIUS is central to zero-trust models.
This incident underscores the importance of timely patching for authentication infrastructure, as downtime from DoS attacks can cascade into broader operational disruptions.
 software that could allow attackers to remotely trigger a){kind=link}