CVE-2025-20343

A vulnerability in the RADIUS setting Reject RADIUS requests from clients with repeated failures on Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to cause Cisco ISE to restart unexpectedly. This vulnerability is due to a logic error when processing a RADIUS access request for a MAC address that is already a rejected endpoint. An attacker could exploit this vulnerability by sending a specific sequence of multiple crafted RADIUS access request messages to Cisco ISE. A successful exploit could allow the attacker to cause a denial of service (DoS) condition when Cisco ISE restarts.

CVSS v3 8.6 HIGH

8.6^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-radsupress-dos-8YF3JThh	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:cisco:identity_services_engine:3.4.0:-::::::
	cpe:2.3:a:cisco:identity_services_engine:3.4.0:patch1::::::
	cpe:2.3:a:cisco:identity_services_engine:3.4.0:patch2::::::
	cpe:2.3:a:cisco:identity_services_engine:3.4.0:patch3::::::

History

19 Nov 2025, 14:56

Type	Values Removed	Values Added
CPE		cpe:2.3:a:cisco:identity_services_engine:3.4.0:patch3:::::: cpe:2.3:a:cisco:identity_services_engine:3.4.0:patch2:::::: cpe:2.3:a:cisco:identity_services_engine:3.4.0:-:::::: cpe:2.3:a:cisco:identity_services_engine:3.4.0:patch1::::::
First Time		Cisco Cisco identity Services Engine
References	~~() https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-radsupress-dos-8YF3JThh -~~	() https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-radsupress-dos-8YF3JThh - Vendor Advisory

06 Nov 2025, 19:45

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-11-05 17:15

Updated : 2025-11-19 14:56

NVD link : CVE-2025-20343

Mitre link : CVE-2025-20343

CVE.ORG link : CVE-2025-20343

JSON object : View

Products Affected

cisco

identity_services_engine

CWE

CWE-697

Incorrect Comparison

{"id": "CVE-2025-20343", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-11-05T17:15:37.443", "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-radsupress-dos-8YF3JThh", "tags": ["Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-697"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the RADIUS setting Reject RADIUS requests from clients with repeated failures on Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to cause Cisco ISE to restart unexpectedly.\r\n\r\nThis vulnerability is due to a logic error when processing a RADIUS access request for a MAC address that is already a rejected endpoint. An attacker could exploit this vulnerability by sending a specific sequence of multiple crafted RADIUS access request messages to Cisco ISE. A successful exploit could allow the attacker to cause a denial of service (DoS) condition when Cisco ISE restarts."}], "lastModified": "2025-11-19T14:56:35.483", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cisco:identity_services_engine:3.4.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D23905E0-E525-49B1-8E5F-4EB42D186768"}, {"criteria": "cpe:2.3:a:cisco:identity_services_engine:3.4.0:patch1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "74509498-38EF-4345-9583-CEF5C26CA1D8"}, {"criteria": "cpe:2.3:a:cisco:identity_services_engine:3.4.0:patch2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CD05FF93-7B8C-4283-9DB7-E03FE98FAADF"}, {"criteria": "cpe:2.3:a:cisco:identity_services_engine:3.4.0:patch3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0F9B6A8E-E773-44A3-9266-878F0C58EB41"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}