Cisco disclosed a high-severity vulnerability affecting its Identity Services Engine (ISE) that could allow unauthenticated remote attackers to cause a denial of service condition. 

The vulnerability, identified as CVE-2025-20152, received a CVSS score of 8.6, reflecting its serious potential impact on enterprise networks relying on Cisco ISE for network authentication services.

The flaw exists in the RADIUS message processing feature of Cisco ISE. Security researchers at Cisco discovered the vulnerability during internal security testing, and no exploits have been observed in the wild according to the Cisco Product Security Incident Response Team (PSIRT).

Cisco ISE RADIUS DoS Vulnerability

The vulnerability stems from improper handling of certain RADIUS requests by the Cisco ISE platform. 

Classified under CWE-125 (Out-of-bounds Read), this implementation flaw enables attackers to trigger a complete system reload of the affected ISE device. 

Since RADIUS services are enabled by default in Cisco ISE deployments, many organizations may be vulnerable unless they exclusively use TACACS+ for authentication services.

“A successful exploit could allow the attacker to cause Cisco ISE to reload,” states the advisory, highlighting the potential for service disruption at organizations relying on ISE for network access control. 

This vulnerability affects Cisco ISE 3.4, while versions 3.3 and earlier are confirmed not vulnerable.

The timing of this disclosure raises concerns given the recent “Blast-RADIUS” vulnerability discovered earlier this year in the RADIUS protocol itself, though the two issues appear to be unrelated. 

While the earlier vulnerability exploited weaknesses in the MD5 cryptographic function used by RADIUS, this new Cisco-specific issue targets the implementation of RADIUS message processing within ISE.

The exploitation process is straightforward, requiring no authentication or user interaction. 

An attacker can trigger the vulnerability by sending specifically crafted RADIUS authentication requests to a network access device (NAD) that uses Cisco ISE for authentication, authorization, and accounting (AAA) services.

The technical root cause involves how the ISE platform handles RADIUS packets. When the malformed authentication request reaches the ISE server via the NAD, it triggers an improper exception handling condition that forces a complete RADIUS process restart.

This vulnerability is particularly concerning because RADIUS operates using UDP ports 1645/1812 for authentication and 1646/1813 for accounting, protocol characteristics that make attacks relatively easy to execute from remote locations. 

The wide adoption of RADIUS as the most common AAA protocol for network access control amplifies the potential impact across numerous enterprise deployments.

Risk FactorsDetailsAffected ProductsCisco Identity Services Engine (ISE) 3.4 with RADIUS authentication services enabled.ImpactDenial of Service (DoS)Exploit Prerequisites– RADIUS authentication services enabled (enabled by default)- Attacker does not require authentication or user interaction- Attacker sends specially crafted RADIUS authentication requests to a network access device (NAD)CVSS 3.1 Score8.6 (High)

Mitigation 

Cisco has released a fixed software version, ISE 3.4P1, to address the vulnerability, and strongly recommends immediate patching as no workarounds exist. 

Organizations using Cisco ISE should verify their deployment version and upgrade affected systems through their regular update channels.

“Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels,” advises Cisco in the security bulletin.

Security experts recommend organizations take additional precautions while implementing patches, including:

Implementing network segmentation to limit exposure.

Monitoring RADIUS authentication logs for suspicious activity.

Temporarily restricting RADIUS access from untrusted networks.

Organizations using Cisco ISE for TACACS+ only are not affected by this vulnerability, providing a potential configuration alternative for environments where immediate patching isn’t feasible.

Immediate patching, vigilant monitoring, and adherence to best security practices are essential to mitigate potential threats.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!