CVE-2025-20343
Published: 05 November 2025
Summary
CVE-2025-20343 is a high-severity Incorrect Comparison (CWE-697) vulnerability in Cisco Identity Services Engine. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 33.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the logic error in Cisco ISE RADIUS processing for rejected endpoints by applying vendor-provided patches from the Cisco security advisory.
Implements denial-of-service protections such as rate limiting or filtering on RADIUS request processing to block exploitation via multiple crafted access requests.
Enforces boundary protection at network perimeters to monitor, filter, and restrict inbound RADIUS traffic from unauthenticated remote sources.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote attackers to exploit a logic error in Cisco ISE's RADIUS processing, causing a service restart and DoS condition, directly mapping to application exploitation for endpoint DoS.
NVD Description
A vulnerability in the RADIUS setting Reject RADIUS requests from clients with repeated failures on Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to cause Cisco ISE to restart unexpectedly. This vulnerability is due to a logic…
more
error when processing a RADIUS access request for a MAC address that is already a rejected endpoint. An attacker could exploit this vulnerability by sending a specific sequence of multiple crafted RADIUS access request messages to Cisco ISE. A successful exploit could allow the attacker to cause a denial of service (DoS) condition when Cisco ISE restarts.
Deeper analysisAI
CVE-2025-20343 is a denial-of-service vulnerability in the RADIUS setting "Reject RADIUS requests from clients with repeated failures" within Cisco Identity Services Engine (ISE). The issue stems from a logic error during the processing of a RADIUS access request for a MAC address that is already classified as a rejected endpoint. This flaw, associated with CWE-697 and scored 8.6 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H), can cause Cisco ISE to restart unexpectedly when exploited.
An unauthenticated, remote attacker can exploit this vulnerability by sending a specific sequence of multiple crafted RADIUS access request messages to the targeted Cisco ISE instance. Successful exploitation results in a denial-of-service (DoS) condition, as the repeated triggering of the logic error forces an unexpected restart of the ISE service, potentially disrupting network authentication and authorization functions.
For mitigation details, refer to the Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-radsupress-dos-8YF3JThh.
Details
- CWE(s)