CVE-2025-20152: 
Cisco ISE vulnerability analysis and mitigation

A vulnerability in the RADIUS message processing feature of Cisco Identity Services Engine (ISE) was discovered and disclosed on May 21, 2025. The vulnerability, tracked as CVE-2025-20152, affects Cisco ISE systems configured with RADIUS authentication services, which are enabled by default. This security flaw has been assigned a CVSS base score of 8.6 (High) and is classified under CWE-125 (Out-of-bounds Read) (Cisco Advisory, NVD).

The vulnerability stems from improper handling of certain RADIUS requests in Cisco ISE. The issue specifically affects systems configured with RADIUS authentication services, which is the default configuration. The vulnerability has been assigned a CVSS vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (Cisco Advisory).

A successful exploitation of this vulnerability could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition, resulting in the Cisco ISE system reloading. This impact is particularly significant as it affects the authentication, authorization, and accounting (AAA) capabilities of the system (Cisco Advisory).

Cisco has released software updates to address this vulnerability in version 3.4P1 for the 3.4 release line. Systems running version 3.3 and earlier are not vulnerable. No workarounds are available for this vulnerability, making it critical for affected users to apply the provided software updates. Users can obtain these updates through their usual update channels if they have valid service contracts (Cisco Advisory).