Cisco has identified a critical vulnerability in its Identity Services Engine (ISE) that could allow unauthenticated remote attackers to disrupt network authentication services. This flaw, designated as CVE-2025-20152 with a CVSS score of 8.6, poses a significant risk to organizations relying on Cisco ISE for network access control.
Understanding the Vulnerability
The issue resides in the RADIUS message processing feature of Cisco ISE. Due to improper handling of specific RADIUS requests, an attacker can exploit this flaw by sending specially crafted authentication requests to a network access device (NAD) that utilizes Cisco ISE for authentication, authorization, and accounting (AAA) services. This action can trigger a complete system reload of the affected ISE device, leading to a denial-of-service (DoS) condition.
Notably, RADIUS services are enabled by default in Cisco ISE deployments, making many organizations susceptible unless they exclusively use TACACS+ for authentication services. The vulnerability affects Cisco ISE version 3.4; versions 3.3 and earlier are not impacted.
Potential Impact on Organizations
Exploitation of this vulnerability can result in significant service disruptions. By causing the ISE device to reload, legitimate users may experience authentication and authorization timeouts, effectively denying them access to network resources. Given the widespread adoption of RADIUS for network access control, the potential impact is substantial across various enterprise environments.
Mitigation and Recommendations
Cisco has released a software update, ISE 3.4P1, to address this vulnerability. Organizations are strongly advised to upgrade affected systems promptly, as no workarounds are available. To apply the update, administrators should follow these steps:
1. Verify Current Version: Log in to the Cisco ISE administrative interface and navigate to the About section to confirm the current software version.
2. Download the Update: Access the Cisco Software Download Center and locate the ISE 3.4P1 update package.
3. Backup Configuration: Before proceeding with the update, perform a full backup of the current ISE configuration to prevent data loss in case of unforeseen issues.
4. Install the Update: Follow the installation instructions provided in the Cisco ISE Upgrade Guide to apply the update.
5. Verify Installation: After the update, confirm that the system is running the new version and monitor for any irregularities.
Regularly updating network security appliances is crucial to maintaining a secure environment. Administrators should also review their network configurations to ensure that only necessary services are enabled and that access controls are appropriately configured.
Broader Context and Related Vulnerabilities
This disclosure comes in the wake of the Blast-RADIUS vulnerability discovered earlier this year, which exploited weaknesses in the MD5 cryptographic function used by RADIUS. While the two issues are unrelated, they underscore the importance of vigilance in managing network authentication protocols.
In addition to CVE-2025-20152, Cisco has addressed other critical vulnerabilities in its ISE platform:
– CVE-2025-20124: An insecure Java deserialization issue in the API of Cisco ISE, allowing authenticated remote attackers with read-only administrative credentials to execute arbitrary commands as the root user.
– CVE-2025-20125: An authorization bypass vulnerability in a specific API, enabling authenticated remote attackers with read-only credentials to obtain sensitive information, modify system configurations, and reload the device.
Both vulnerabilities have been addressed in recent software updates, and organizations are urged to apply these patches promptly.
Conclusion
The discovery of CVE-2025-20152 highlights the ongoing challenges in securing network authentication services. Organizations must remain proactive in applying security updates and reviewing their network configurations to mitigate potential threats. By staying informed and vigilant, enterprises can better protect their networks against evolving security vulnerabilities.
