CVE-2025-20343# 🔒 **CVE-2025-20343: Cisco ISE RADIUS Suppression DoS Vulnerability** 🌐
---
## ⚠️ **Overview**
🚨 **High-severity** denial-of-service (DoS) flaw in **Cisco Identity Services Engine (ISE)**!
💥 An **unauthenticated remote attacker** can **crash the device** with crafted RADIUS packets.
📅 **Disclosed**: November 5, 2025
✅ **No known exploitation in the wild** (yet!)
---
## 🛠️ **How It Works**
🔄 A **logic error** in the **"Reject RADIUS requests from clients with repeated failures"** setting.
🕵️♂️ Attacker sends **crafted RADIUS Access-Requests** targeting a **rejected MAC address**.
💣 Triggers **unexpected restart** → **DoS condition**
🌍 Requires **network access** to RADIUS port — **no auth needed**!
> **CWE-697**: Incorrect Comparison Logic
---
## 📊 **Severity Score**
**🔴 CVSS v3.1: 8.6 (High)**
```
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
```
| Metric | Value | Meaning |
|--------|-------|--------|
| 🔗 **Attack Vector** | Network | Remotely exploitable |
| ⚡ **Complexity** | Low | No special skills/tools |
| 🛡️ **Privileges** | None | Unauthenticated |
| 👤 **User Interaction** | None | Fully automated |
| 🌍 **Scope** | Changed | Impacts beyond ISE |
| 🔒 **Confidentiality** | None | No data leak |
| ✅ **Integrity** | None | No tampering |
| ⛔ **Availability** | **High** | Full service outage |
---
## 🖥️ **Affected Systems**
**Product**: Cisco Identity Services Engine (ISE)
**Vulnerable Versions**:
- 3.4.0
- 3.4 Patch 1
- 3.4 Patch 2
- 3.4 Patch 3
> **Only if using RADIUS (802.1X, VPN, etc.)**
> **HA clusters may reduce downtime via failover**
---
## 🛡️ **Exploitation Status**
| Status | Details |
|-------|--------|
| 🚫 **In the Wild** | None reported |
| ⚙️ **Difficulty** | **Low** – Just send repeated RADIUS packets |
| 🎯 **Likely Target** | Enterprises using ISE for NAC, Wi-Fi, or VPN auth |
---
## 🛑 **Mitigation & Fixes**
**🔧 Fix It**
- **Upgrade** to patched ISE version (check Cisco advisory)
- 📌 Apply **ASAP** — easy to exploit!
**🔥 Workarounds**
- **Disable** “Reject repeated failures” (⚠️ reduces brute-force protection)
- **Filter** RADIUS traffic with ACLs/firewalls
- **Deploy HA** with tested failover
**🛡️ Best Practices**
- 🧪 Test patches in lab first
- 📡 Monitor for: restarts, RADIUS spikes, auth failures
- ⏰ Patch during maintenance windows
---
## 📚 **References**
- 🔗 [Cisco Official Advisory](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-radsupress-dos-8YF3JThh)
- 📰 [RedPacket Security](https://www.redpacketsecurity.com/cve-alert-cve-2025-20343-cisco-cisco-identity-services-engine-software/)
- 💻 [BleepingComputer](https://www.bleepingcomputer.com/news/security/critical-cisco-uccx-flaw-lets-hackers-run-commands-as-root/)
- 🇩🇪 [Heise Online](https://www.heise.de/en/news/Cisco-Partially-critical-security-vulnerabilities-in-multiple-products-11067466.html)
---
**⚡ Action Item**: If you run **Cisco ISE 3.4**, **patch now**! This is a **low-effort, high-impact** attack waiting to happen. 🚀
*Stay secure!* 🔐
[4.0K] /data/pocs/f47e0a11170bd7a4ac9fe77cb8c2a491ef6ff6e3
└── [3.2K] README.md
1 directory, 1 file