Introduction
Unexpected restarts of network authentication systems can disrupt business operations and leave critical infrastructure inaccessible. Cisco Identity Services Engine (ISE), a widely deployed network access control solution, is impacted by a vulnerability that allows remote attackers to trigger denial of service through crafted RADIUS requests.
Cisco is a major player in the enterprise networking space, with ISE serving as a central authentication, authorization, and accounting (AAA) platform for organizations worldwide. ISE is used to enforce network policies, manage device access, and provide secure onboarding for users and endpoints. Its reliability is essential for maintaining secure and available enterprise networks.
Technical Information
CVE-2025-20343 is a logic error in the RADIUS suppression feature of Cisco ISE. The feature, configured via the setting 'Reject RADIUS requests from clients with repeated failures', is designed to reduce log noise and resource consumption by suppressing repeated failed authentication attempts from the same endpoint (identified by MAC address).
When this setting is enabled, ISE tracks endpoints that have failed authentication multiple times and marks them as rejected. The vulnerability is triggered when an attacker sends a specific sequence of RADIUS access requests for a MAC address that is already in the rejected state. Due to an incorrect comparison or state validation (classified as CWE-697: Incorrect Comparison), ISE mishandles these requests and enters an unexpected state that causes a system restart. This results in a denial of service for all authentication services handled by the affected ISE node.
Key technical points:
- The attack is unauthenticated and requires only network access to the RADIUS service (UDP ports 1645/1812).
- The vulnerable code path is only exercised when the suppression feature is enabled and the target MAC address is already marked as rejected.
- No valid credentials or prior authentication are needed.
- The root cause is a logic error in how ISE processes RADIUS requests for already-rejected endpoints.
- No public code snippets or exploit scripts are available as of this writing.
Affected Systems and Versions
- Cisco Identity Services Engine (ISE) versions 3.4.0, 3.4 Patch 1, 3.4 Patch 2, and 3.4 Patch 3 are affected.
- The vulnerability is only present when the 'Reject RADIUS requests from clients with repeated failures' setting is enabled.
- Other versions (such as 3.3 and earlier) are not listed as affected for this specific issue.
- Both standalone and distributed ISE deployments are impacted if the vulnerable setting is active.
Vendor Security History
Cisco has disclosed multiple RADIUS-related vulnerabilities in ISE during 2025, including CVE-2025-20152, CVE-2025-20281, CVE-2025-20282, and CVE-2025-20337. These issues range from denial of service to remote code execution. Cisco typically provides timely advisories and patches, but the recurrence of RADIUS processing flaws suggests deeper architectural or implementation challenges in this component of ISE.
