Analysis Summary

Cisco recently disclosed a high-severity vulnerability, CVE-2025-20152, in its Identity Services Engine (ISE) version 3.4, which could allow unauthenticated remote attackers to cause a denial-of-service (DoS) condition. The flaw received a high CVSS score and resides in the RADIUS message processing functionality, which is enabled by default in most ISE deployments. This vulnerability stems from improper handling of specially crafted RADIUS authentication requests, leading to an out-of-bounds read (CWE-125) that can crash the system by triggering a full reload of the affected ISE server. Although discovered during internal testing and not observed in the wild, the exploitability and lack of user interaction required make it a serious threat.

The vulnerability is exploited by sending malformed RADIUS requests via network access devices (NADs) to Cisco ISE. When such requests are received, they exploit a flaw in the way ISE processes RADIUS packets, triggering an exception that causes the RADIUS service or the entire system to restart. This makes enterprise networks that rely on ISE for AAA (authentication, authorization, accounting) services vulnerable to service disruptions, especially since RADIUS typically uses UDP ports 1645/1812 for authentication and 1646/1813 for accounting, which are susceptible to remote attacks. While it’s unrelated to the earlier “Blast-RADIUS” issue, the timing of this disclosure has increased awareness of RADIUS protocol vulnerabilities.

The impact is most significant for organizations using ISE version 3.4 with RADIUS authentication enabled. Older versions (3.3 and earlier) are unaffected, and environments that rely solely on TACACS+ for AAA services are not vulnerable. No authentication or user interaction is needed to exploit this flaw, highlighting the critical nature of the issue. Cisco has released a patched version of ISE 3.4P1 and strongly urges customers to apply this fix immediately as no workarounds exist. Customers with service contracts can access the updated software through standard update channels.

Security professionals recommend a layered approach to mitigation beyond patching. Organizations should implement network segmentation to reduce exposure, restrict RADIUS traffic from untrusted networks, and monitor authentication logs for unusual activity. Until patching is completed, switching to TACACS+ where possible can serve as a temporary safeguard. Given the broad adoption of RADIUS in enterprise environments and the ease with which this vulnerability could be exploited remotely, prompt and comprehensive mitigation is essential to maintaining network security and service continuity.

Impact

• DoS Conditions

Indicators of Compromise

CVE

• CVE-2025-20152

Affected Vendors

Remediation

• Refer to Cisco Security Advisory for patch, upgrade, or suggested workaround information.
• Confirm whether your deployment is running version 3.4. Versions 3.3 and earlier are not affected.
• Limit RADIUS traffic from untrusted or external networks until patching is complete.
• Watch for unusual or suspicious RADIUS request patterns that could indicate exploit attempts.
• Reduce exposure by segregating network access devices (NADs) from critical ISE infrastructure.
• If RADIUS is not essential, switch to TACACS+, which is not impacted by this vulnerability.
• Block unauthorized access to UDP ports 1645/1812 (authentication) and 1646/1813 (accounting) at network boundaries.
• Maintain valid Cisco support contracts to ensure access to security updates and technical assistance.