CVE-2025-20343: 
Cisco ISE vulnerability analysis and mitigation

A vulnerability (CVE-2025-20343) was discovered in Cisco Identity Services Engine (ISE) affecting the RADIUS setting 'Reject RADIUS requests from clients with repeated failures'. The vulnerability was disclosed on November 5, 2025, and affects Cisco ISE releases 3.4.0, 3.4 Patch 1, 3.4 Patch 2, and 3.4 Patch 3 (Cisco Advisory).

The vulnerability stems from a logic error in processing RADIUS access requests for MAC addresses that are already rejected endpoints. It has been assigned a CVSS base score of 8.6 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H. The vulnerability is classified under CWE-697 (Incorrect Comparison) (Cisco Advisory, NVD).

A successful exploitation of this vulnerability could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition by forcing Cisco ISE to restart unexpectedly. This could significantly impact network authentication services (Cisco Advisory).

Cisco has released software updates to address this vulnerability in version 3.4 Patch 4. As a temporary workaround, administrators can disable the 'Reject RADIUS requests from clients with repeated failures' setting by navigating to Administration > System > Settings > Protocols > RADIUS and unchecking the option in the Suppress Repeated Failed Clients section. However, Cisco recommends re-enabling this configuration after upgrading to the fixed version (Cisco Advisory).

The vulnerability was discovered during the resolution of a Cisco Technical Assistance Center (TAC) support case. The disclosure coincided with other security patches from Cisco, including critical flaws in Unified Contact Center Express (Hacker News).