A high-severity vulnerability has been discovered in Cisco Identity Services Engine (ISE) that allows an unauthenticated, remote attacker to cause the system to restart. Successful exploitation of this vulnerability results in a denial-of-service condition, which can disrupt network access for all users who rely on ISE for authentication.

The vulnerability exists within the RADIUS service of Cisco Identity Services Engine (ISE), specifically in the feature that rejects RADIUS requests from clients with repeated failures. An unauthenticated, remote attacker can exploit this flaw by sending a sequence of specially crafted RADIUS requests to a vulnerable ISE node. When the system processes these repeated failed requests, an error is triggered that causes the entire ISE service to crash and restart, resulting in a temporary denial of service.

This vulnerability is rated as High severity with a CVSS score of 8.6. The primary business impact is a loss of availability for network access control services. As Cisco ISE is a critical component for authenticating users and devices to wired, wireless, and VPN networks, an unexpected restart will prevent legitimate users from connecting to network resources. This can lead to significant operational disruptions, loss of productivity, and an inability to enforce security policies across the network until the service is restored.

Immediate Action: Apply the security updates provided by Cisco to all affected Identity Services Engine deployments immediately. Prioritize patching for internet-facing or mission-critical ISE nodes. After patching, monitor system logs for any signs of instability or further unexpected reboots.

Proactive Monitoring: Monitor for an unusual volume of failed RADIUS authentication requests, especially from untrusted or unknown source IP addresses. System administrators should configure alerts for unexpected service restarts or crash events on ISE nodes. Review network traffic for anomalous patterns targeting RADIUS ports (UDP/1812, UDP/1813, UDP/1645, UDP/1646).

Compensating Controls: If patching cannot be performed immediately, implement strict Access Control Lists (ACLs) on network firewalls or routers to limit RADIUS traffic to ISE nodes from only known, trusted network access devices (e.g., switches, wireless controllers). This will limit the attack surface by preventing attackers on untrusted networks from reaching the vulnerable service.

Public Exploit Available: false

Given the high severity score (CVSS 8.6) and the ability for a remote, unauthenticated attacker to cause a denial-of-service, organizations are urged to treat this vulnerability with high priority. The potential for significant business disruption from the loss of network authentication services is substantial. Although CVE-2025-20343 is not currently on the CISA KEV list, its critical impact warrants immediate patching across all vulnerable Cisco ISE deployments.