Warning: Two critical vulnerabilities impact Cisco ISE, leading to unauthenticated remote code execution as root, Patch Immediately!

Image
Decorative image
Published : 27/06/2025
  • Last update: 27/06/2025
  • Affected software:
    → Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) release 3.3 and 3.4
  • Type:
    → Unauthenticated Remote Code Execution
  • CVE/CVSS
    → CVE-2025-20281: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
    → CVE-2025-20282: CVSS 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Sources

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6

Risks

The two zero-days are independent, and both allow an attacker to execute arbitrary code as the root user, giving them full control over the system.

The risk of exploitation is significant as these devices often occupy a central role in an organization’s IT-infrastructure.

When exploited, both vulnerabilities have a high impact on confidentiality, integrity and availability.

There is currently no evidence of any of these vulnerabilities being actively exploited.

Description

CVE-2025-20281

This vulnerability in the API of Cisco ISE and Cisco ISE-Pic versions 3.3 and 3.4 allows an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request.

This gives the attacker full control over the compromised system and its data. They can also use it to further infiltrate and impact an organisation.

There are no workarounds or mitigations, the only solution is to update immediately.

CVE-2025-20282

This vulnerability in the API of Cisco ISE and Cisco ISE-Pic version 3.4 allows an unauthenticated, remote attacker to upload arbitrary files and execute those files on the underlying operating system as root. This vulnerability is due a lack of file validation checks that would prevent uploaded files from being placed in privileged directories on an affected system. An attacker could exploit this vulnerability by uploading a crafted file to the affected device.

This gives the attacker full control over the compromised system and its data. They can also use it to further infiltrate and impact an organisation.

There are no workarounds or mitigations, the only solution is to update immediately.

Recommended Actions

Patch 
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect 
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-20281
https://nvd.nist.gov/vuln/detail/CVE-2025-20282