Warning: Two critical vulnerabilities impact Cisco ISE, leading to unauthenticated remote code execution as root, Patch Immediately!

Image
Decorative image
Published : 27/06/2025
  • Last update: 23/07/2025
  • Affected software:
    → Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) release 3.3 and 3.4
  • Type:
    → Unauthenticated Remote Code Execution
  • CVE/CVSS
    → CVE-2025-20281: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
    → CVE-2025-20282: CVSS 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
    → CVE-2025-20337: CVS 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Sources

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6

Risks

The two zero-days are independent, and both allow an attacker to execute arbitrary code as the root user, giving them full control over the system.

The risk of exploitation is significant as these devices often occupy a central role in an organisation’s IT-infrastructure.

When exploited, both vulnerabilities have a high impact on confidentiality, integrity and availability.

Update 2025-07-23: Cisco has confirmed these vulnerabilities are now under active exploitation by threat
actors!

Description

CVE-2025-20281 and CVE-2025-20337

Multiple vulnerabilities in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit these vulnerabilities.

These vulnerabilities are due to insufficient validation of user-supplied input. An attacker could exploit these vulnerabilities by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device.

There are no workarounds or mitigations, the only solution is to update immediately.

CVE-2025-20282

This vulnerability in the API of Cisco ISE and Cisco ISE-Pic version 3.4 allows an unauthenticated, remote attacker to upload arbitrary files and execute those files on the underlying operating system as root. This vulnerability is due a lack of file validation checks that would prevent uploaded files from being placed in privileged directories on an affected system. An attacker could exploit this vulnerability by uploading a crafted file to the affected device.

This gives the attacker full control over the compromised system and its data. They can also use it to further infiltrate and impact an organisation.

There are no workarounds or mitigations, the only solution is to update immediately.

Update 17 JUL 2025: Added CVE-2025-20337 to this advisory, reflecting vendor's decision to update theirs in the same way.

Recommended Actions

Patch 
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect 
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-20281
https://nvd.nist.gov/vuln/detail/CVE-2025-20282