Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Critical Vulnerability in Cloud Deployments of Cisco ISE, Patch Immediately!
Image
Published : 05/06/2025
- Last update: 05/06/2025
- Affected software: Cisco Identity Services Engine (ISE) when deployed on AWS, Azure, and OCI platforms.
- Type:
→ Use of Hard-coded Password- CVE/CVSS:
→ CVE-2025-20286: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H)
Sources
Risks
CVE-2025-20286 is a critical vulnerability in Cisco’s Identity Services Engine (ISE) when the Primary Administration Node is deployed in the cloud on platforms such as AWS, Azure, or Oracle Cloud Infrastructure.
It allows remote, unauthenticated attackers to exploit shared credentials across cloud environments, potentially granting access to sensitive data, limited administrative functions, modify system configurations, and enabling service disruption.
The vulnerability significantly impacts the confidentiality, integrity, and availability of affected systems.
Description
The issue stems from Cisco ISE generating identical static credentials for all cloud-based deployments of the same software version and platform.
An attacker with access to one cloud-hosted Cisco ISE instance could extract these credentials and reuse them to connect to other cloud-deployed ISE instances via exposed and unsecured ports.
This enables unauthorised access, data leakage, system modifications, and service disruption.
Note: The vulnerability only affects environments where the Primary Administration Node is deployed in the cloud. On-premises deployments are not affected.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing. Cisco has released software updates that address this vulnerability. There are no workarounds available.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-aws-static-cred-FPMjUcm7#fs
https://nvd.nist.gov/vuln/detail/CVE-2025-20286
https://euvd.enisa.europa.eu/vulnerability/EUVD-2025-16883