Critical Cisco ISE Vulnerability Exposes Networks to Remote Attacks
A significant security flaw has been identified in Cisco’s Identity Services Engine (ISE), potentially allowing remote attackers to disrupt network operations by triggering unexpected system restarts. This vulnerability, designated as CVE-2024-20399, arises from the way ISE processes repeated authentication failures from previously rejected endpoints, leading to a denial-of-service (DoS) condition.
Understanding the Vulnerability
The core issue lies in a logic error within ISE’s RADIUS configuration. Specifically, when the system is set to reject client requests after multiple authentication failures, it becomes susceptible to exploitation. Attackers can craft RADIUS access request messages targeting MAC addresses that have already been flagged as rejected. Upon processing these malicious requests, ISE may crash and restart unexpectedly, thereby disrupting authentication services across the network.
Affected Versions and Default Settings
This vulnerability predominantly affects Cisco ISE versions 3.4.0 through 3.4 Patch 3. In these versions, the setting Reject RADIUS requests from clients with repeated failures is enabled by default, making them particularly vulnerable. It’s important to note that earlier versions (3.3 and below) and newer releases (3.5 and above) are not impacted by this specific issue.
Potential Impact on Organizations
Cisco ISE serves as a central hub for network access control, device authentication, and compliance policy enforcement. An unexpected system restart can lead to several adverse effects:
– Loss of Network Visibility: Organizations may lose real-time insights into network activity, hindering their ability to monitor and respond to potential threats.
– Authentication Failures: Legitimate users and devices might face authentication issues, leading to access denials and operational disruptions.
– Business Operations Disruption: The cascading effect of these issues can disrupt critical business operations, especially in environments heavily reliant on network connectivity.
Mitigation Strategies
To address this vulnerability, Cisco has provided several recommendations:
1. Immediate Action: Administrators can disable the Reject RADIUS requests from clients with repeated failures setting in the ISE administration console. This action provides a temporary safeguard against potential exploits.
2. Software Updates: Cisco advises upgrading ISE systems to version 3.4 Patch 4 or later. These updates contain fixes that address the identified vulnerability.
3. Configuration Verification: Administrators should navigate to Administration > System > Settings > Protocols > RADIUS within the ISE console to verify and adjust their current settings as needed.
Broader Context of Cisco ISE Vulnerabilities
This isn’t the first time Cisco ISE has been under scrutiny for security vulnerabilities. In recent years, several critical flaws have been identified:
– CVE-2025-20281 and CVE-2025-20282: Disclosed in June 2025, these vulnerabilities allowed unauthenticated remote code execution with root privileges due to insufficient input validation and improper file validation in specific APIs. Both carried a maximum CVSS score of 10.0, indicating severe risk to unpatched systems. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/cisco-warns-of-max-severity-rce-flaws-in-identity-services-engine/?utm_source=openai))
– CVE-2025-20152: Identified in May 2025, this flaw involved improper handling of RADIUS messages, enabling attackers to cause denial-of-service conditions by sending crafted authentication requests. ([dec-solutions.com](https://dec-solutions.com/cve-2025-20152-cisco-ise-radius-ddos-vulnerability/?utm_source=openai))
– CVE-2025-20337: Announced in July 2025, this vulnerability stemmed from insufficient input validation in a specific API, allowing remote code execution with root privileges. The flaw posed significant risks, especially in environments relying on ISE for network access control. ([cyberpress.org](https://cyberpress.org/cisco-identitycyber-attacks/?utm_source=openai))
Recommendations for Organizations
Given the recurring nature of vulnerabilities in Cisco ISE, organizations should adopt a proactive approach to cybersecurity:
– Regular Updates: Ensure that all Cisco ISE systems are updated promptly with the latest patches and software releases.
– Configuration Audits: Periodically review system configurations to identify and rectify settings that may introduce security risks.
– Monitoring and Logging: Implement robust monitoring to detect unusual activities, such as unexpected system restarts or authentication anomalies.
– Incident Response Planning: Develop and regularly update incident response plans to address potential exploits swiftly and effectively.
Conclusion
The discovery of CVE-2024-20399 underscores the critical importance of vigilant cybersecurity practices. Organizations utilizing Cisco ISE must take immediate steps to mitigate this vulnerability to safeguard their network infrastructure and maintain operational integrity.
