Cisco ISE Reboot via RADIUS Access Request DoS
CVE-2025-20343 Published on November 5, 2025
Cisco Identity Services Engine Radius Suppression Denial of Service Vulnerability
A vulnerability in the RADIUS setting Reject RADIUS requests from clients with repeated failures on Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to cause Cisco ISE to restart unexpectedly.
This vulnerability is due to a logic error when processing a RADIUS access request for a MAC address that is already a rejected endpoint. An attacker could exploit this vulnerability by sending a specific sequence of multiple crafted RADIUS access request messages to Cisco ISE. A successful exploit could allow the attacker to cause a denial of service (DoS) condition when Cisco ISE restarts.
Vulnerability Analysis
CVE-2025-20343 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Weakness Type
Incorrect Comparison
The software compares two entities in a security-relevant context, but the comparison is incorrect, which may lead to resultant weaknesses.
Products Associated with CVE-2025-20343
stack.watch emails you whenever new vulnerabilities are published in Cisco Identity Services Engine Software or Cisco Identity Services Engine. Just hit a watch button to start following.
Affected Versions
Cisco Identity Services Engine Software:- Version 3.4.0 is affected.
- Version 3.4 Patch 1 is affected.
- Version 3.4 Patch 2 is affected.
- Version 3.4 Patch 3 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.