A newly disclosed critical vulnerability in Cisco Identity Services Engine (ISE) could let remote attackers crash systems and cause widespread network disruptions. Tracked as CVE-2024-20399, the flaw carries a CVSS v3.1 score of 7.5 and affects Cisco ISE versions 3.4.0 through 3.4 Patch 3.
What Causes the Cisco ISE RADIUS Vulnerability?
The issue stems from how Cisco ISE handles repeated authentication failures from endpoints previously marked as rejected. When attackers send a crafted series of RADIUS access requests targeting these blocked endpoints, it triggers a denial-of-service (DoS) condition.
The result? The ISE system crashes and restarts unexpectedly — disrupting authentication, access control, and compliance enforcement across the entire network.
Why This Flaw Is Dangerous
This vulnerability doesn’t require any valid credentials. That means anyone with network access can exploit it remotely by sending malicious RADIUS requests.
Because Cisco ISE is a central component for network access control and device authentication, an unexpected restart can temporarily block all user authentications — creating a chain reaction of service outages and visibility loss across connected systems.
Affected Cisco ISE Versions
| CVE ID | Product | Affected Versions | CVSS Score | Type |
|---|---|---|---|---|
| CVE-2024-20399 | Cisco ISE | 3.4.0, 3.4 P1, 3.4 P2, 3.4 P3 | 7.5 | Denial of Service (DoS) |
Cisco confirmed that this issue affects only ISE 3.4.x versions up to Patch 3, where the following setting is enabled by default:
“Reject RADIUS requests from clients with repeated failures”
Earlier versions (3.3 and below) and newer releases (3.5 and later) are not affected.
How to Protect Your Network
Cisco has released a fix and multiple mitigation options to address the issue. Administrators should take these immediate steps:
- Disable the vulnerable setting
- Navigate to:
Administration > System > Settings > Protocols > RADIUS - Temporarily disable the “Reject RADIUS requests from clients with repeated failures” option.
- Navigate to:
- Upgrade to a safe version
- Apply Patch 4 or upgrade to Cisco ISE 3.5 or later.
- Once patched, re-enable the RADIUS rejection setting to restore normal protection.
- Monitor for abnormal RADIUS activity
- Watch for spikes in authentication failures or repeated access requests targeting blocked MAC addresses.
Final Thoughts
The Cisco ISE CVE-2024-20399 vulnerability highlights how a simple logic flaw in RADIUS handling can lead to major operational disruptions. Organizations relying on Cisco ISE for network security and access control should immediately disable the vulnerable configuration and plan for patching to prevent potential denial-of-service attacks.
