WARNING: TWO CRITICAL VULNERABILITIES HAVE BEEN PATCHED IN CISCO IDENTITY SERVICES ENGINE (ISE), PATCH IMMEDIATELY!

Reference:
Advisory #2025-27

Version:
1.0

Affected software:
Cisco Identity Services Engine (ISE)

Type:
Insecure Java Deserialization Vulnerability and Authorization Bypass Vulnerability

CVE/CVSS:

• CVE-2025-20124: CVSS 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H)
• CVE-2025-20125: CVSS 9.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H)

Sources

Cisco: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-multivuls-FTW9AOXF

Risks

Cisco Identity Services Engine (ISE) is a network access control and identity management solution that enforces policies for secure user and device authentication across an organization’s network. Multiple vulnerabilities in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands and elevate privileges on an affected device. 

To exploit these vulnerabilities, an attacker must have valid read-only administrative credentials. The vulnerabilities have a high impact on all vertices of the CIA triad.

These vulnerabilities affect Cisco ISE and Cisco ISE Passive Identity Connector (ISE-PIC), regardless of device configuration.

Description

CVE-2025-20124: Cisco ISE Insecure Java Deserialization Vulnerability
A vulnerability in an API of Cisco ISE could allow an authenticated, remote attacker to execute arbitrary commands as the root user on an affected device.

This vulnerability is due to insecure deserialization of user-supplied Java byte streams by the affected software. An attacker could exploit this vulnerability by sending a crafted serialized Java object to an affected API. A successful exploit could allow the attacker to execute arbitrary commands on the device and elevate privileges.

CVE-2025-20124: Cisco ISE Insecure Java Deserialization Vulnerability
A vulnerability in an API of Cisco ISE could allow an authenticated, remote attacker with valid read-only credentials to obtain sensitive information, change node configurations, and restart the node.

This vulnerability is due to a lack of authorization in a specific API and improper validation of user-supplied data. An attacker could exploit this vulnerability by sending a crafted HTTP request to a specific API on the device. A successful exploit could allow the attacker to attacker to obtain information, modify system configuration, and reload the device.

Vendor advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-multivuls-FTW9AOXF

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

TheHackerNews: https://thehackernews.com/2025/02/cisco-patches-critical-ise.html

CybersecurityNews: https://securityonline.info/cve-2025-20124-cve-2025-20125-cisco-patches-critical-flaws-in-identity-services-engine/