You are currently viewing Reject, Repeat, Restart: RADIUS Bug Triggers Cisco ISE DoS

Reject, Repeat, Restart: RADIUS Bug Triggers Cisco ISE DoS

  • Post author:
  • Reading time:3 mins read

A vulnerability in Cisco Identity Services Engine (ISE) could allow remote attackers to trigger unexpected system restarts, leading to a denial-of-service (DoS) condition. The vulnerability stems from how ISE handles repeated authentication failures, and organizations relying on ISE for network access control should take immediate action to mitigate the risk.

Vulnerability Details

The vulnerability, tracked as CVE-2025-20343, is due to a logic error in the RADIUS configuration that rejects client requests after repeated failures. An attacker can exploit this by sending a crafted sequence of RADIUS access request messages targeting MAC addresses already flagged as rejected endpoints.

When ISE processes these malicious requests, it can crash and restart, disrupting authentication services. This attack requires no authentication, making it particularly dangerous. CISA encourages organizations to review their systems for this vulnerability.

Affected Products and Versions

The vulnerability affects the following Cisco ISE versions:

  • Cisco ISE 3.4.0
  • Cisco ISE 3.4 P1
  • Cisco ISE 3.4 P2
  • Cisco ISE 3.4 P3

The product is vulnerable when the “Reject RADIUS requests from clients with repeated failures” setting is enabled. It is important to note that earlier versions (3.3 and below) are not affected.

Impact

Successful exploitation of this vulnerability leads to:

  • System crashes and unexpected restarts.
  • Disruption of authentication services across the network.
  • Loss of visibility into network activity.
  • Authentication failures for legitimate users and devices.
  • Disruption of business operations across the entire network infrastructure.

Cisco ISE serves as a central point for network access control, device authentication, and compliance policy enforcement. When it becomes unavailable, it can severely impact an organization’s security posture and operational efficiency.

TTPs

  • TA0040 – Impact: Disrupting system availability and integrity.
  • T1499.001 – Resource Hijacking: Consuming resources to cause a denial of service.

Mitigation & Recommendations

Cisco has provided the following mitigation options:

  • Disable the Vulnerable RADIUS Setting: Immediately turn off the “Reject RADIUS requests from clients with repeated failures” setting in the administration console (Administration > System > Settings > Protocols > RADIUS).
  • Upgrade ISE: Upgrade ISE version 3.4 systems to Patch 4 or later.
  • Re-enable Setting After Patching: Cisco recommends re-enabling the RADIUS setting once systems are patched.

Disabling the setting provides temporary protection while upgrades are planned, as the vulnerability only affects systems with this setting enabled.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.