CVE-2025-20343
📋 TL;DR
An unauthenticated remote attacker can cause Cisco Identity Services Engine (ISE) to restart unexpectedly by sending crafted RADIUS access request messages for already-rejected MAC addresses. This creates a denial of service condition affecting network authentication services. Organizations using Cisco ISE for RADIUS authentication are affected.
💻 Affected Systems
- Cisco Identity Services Engine (ISE)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Sustained exploitation could cause repeated ISE restarts, leading to extended authentication service outages affecting all network users and devices.
Likely Case
Temporary service disruption during ISE restart, causing authentication failures for new connections until service recovers.
If Mitigated
Minimal impact with proper network segmentation and monitoring allowing quick detection and response.
🎯 Exploit Status
Exploitation requires sending specific sequence of crafted RADIUS messages but no authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Cisco advisory for specific fixed versions
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-radsupress-dos-8YF3JThh
Restart Required: Yes
Instructions:
1. Review Cisco advisory for affected versions. 2. Download and apply appropriate patch from Cisco. 3. Restart ISE services as required. 4. Verify patch application.
🔧 Temporary Workarounds
Disable RADIUS request rejection feature
allTemporarily disable the 'Reject RADIUS requests from clients with repeated failures' setting to prevent exploitation
Navigate to ISE GUI > Administration > System > Settings > RADIUS > Uncheck 'Reject RADIUS requests from clients with repeated failures'
Network segmentation
allRestrict access to RADIUS service to trusted networks only
Configure firewall rules to limit RADIUS (UDP 1812/1813, 1645/1646) access to authorized clients only
🧯 If You Can't Patch
- Implement strict network access controls to limit RADIUS traffic to trusted sources only
- Monitor ISE logs for repeated RADIUS failures and restart patterns, implement alerting
🔍 How to Verify
Check if Vulnerable:
Check ISE version against Cisco advisory and verify if 'Reject RADIUS requests from clients with repeated failures' is enabledCheck Version:
show application version ise (CLI) or check Administration > System > About (GUI)Verify Fix Applied:
Verify ISE version is updated to patched version and test with simulated RADIUS requests📡 Detection & Monitoring
Log Indicators:
- Unexpected ISE process restarts
- Multiple RADIUS authentication failures from same source
- RADIUS service interruption logs
Network Indicators:
- Unusual volume of RADIUS access requests to rejected endpoints
- RADIUS service unresponsiveness
SIEM Query:
source="cisco_ise" AND (event_type="process_restart" OR message="*RADIUS*restart*" OR auth_result="FAILURE") | stats count by src_ip