👾 Join us August 4–10 in Las Vegas for Hacker Summer Camp! Learn More

On This Page:

  1. Latest Cisco Identity Services Engine (ISE) & Cisco ISE Passive Identity Connector (ISE-PIC) vulnerabilities
  2. What is the impact?
  3. Are any updates or workarounds available?
  4. How do I find Cisco ISE installations with runZero?
  5. June 2024: CVE-2025-20286

How to find Cisco Identity Services Engine (ISE) installations

Matthew Kienow
|
Updated

Latest Cisco Identity Services Engine (ISE) & Cisco ISE Passive Identity Connector (ISE-PIC) vulnerabilities #

Three vulnerabilities have been disclosed in certain versions of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) that could allow an unauthenticated, remote adversary to issue execute commands on the underlying operating system as the root user. There is evidence that this vulnerability is being actively exploited in the wild.

  • Cisco ISE and Cisco ISE-PIC are at risk of an insufficient validation of user-supplied input vulnerability in a specific API. This could allow an unauthenticated, remote adversary to execute arbitrary code on the underlying operating system as the root user via a specially crafted API request. Successful exploitation could allow the adversary to obtain root privileges on an affected device. The adversary does not require any valid credentials to be able to exploit the vulnerability. This vulnerability has been designated CVE-2025-20281 and has been rated critical with a CVSS score of 9.8.
  • Cisco ISE and Cisco ISE-PIC are at risk of an improper privilege management vulnerability in an internal API due to a lack of file validation checks to prevent uploaded files from being stored in privileged directories on an affected system. This could allow an unauthenticated, remote adversary to upload arbitrary files to an affected device and then execute those files on the underlying operating system as the root user. Successful exploitation could allow the adversary to store malicious files on an affected system and then execute arbitrary code or obtain root privileges on an affected device. This vulnerability has been designated CVE-2025-20282 and has been rated critical with a CVSS score of 10.0
  • Cisco ISE and Cisco ISE-PIC are at risk of an insufficient validation of user-supplied input vulnerability in a specific API. This could allow an unauthenticated, remote adversary to execute arbitrary code on the underlying operating system as the root user via a specially crafted API request. Successful exploitation could allow the adversary to obtain root privileges on an affected device. The adversary does not require any valid credentials to be able to exploit the vulnerability. This vulnerability has been designated CVE-2025-20337 and has been rated critical with a CVSS score of 10.0.

The following versions are affected

  • Cisco ISE or ISE-PIC release 3.3 prior to version 3.3 Patch 7
  • Cisco ISE or ISE-PIC release 3.4 prior to version 3.4 Patch 2

What is the impact? #

Successful exploitation of this vulnerability by an attacker would allow credentials extracted from a Cisco ISE instance to be used on others from the same release on the same cloud platform. This could allow the attacker to access sensitive data, execute limited administrative operations, modify system configurations or disrupt services within the impacted systems.

Are any updates or workarounds available? #

Cisco has released updates in the form of patches for releases 3.3 and 3.4. Users should update to the latest version of the affected software.

  • Cisco ISE or ISE-PIC release 3.3 to version 3.3 Patch 7 and later releases
  • Cisco ISE or ISE-PIC release 3.4 to version 3.4 Patch 2 and later releases

Since the initial (version 1.0) advisory publication, Cisco released an improved fix for release 3.3 and recommends upgrading as follows:

  • Release 3.3 Patch 6 should be up upgraded to Release 3.3 Patch 7
  • Hot patch ise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gz or ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz should be up upgraded to Release 3.3 Patch 7 or Release 3.4 Patch 2

How do I find Cisco ISE installations with runZero? #

From the Software Inventory, use the following query to locate potentially impacted installations:

vendor:="Cisco" AND product:="Identity Services Engine"

June 2024: CVE-2025-20286 #

A vulnerability has been disclosed in certain cloud-deployed versions of Cisco Identity Services Engine (ISE) in Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI). The vulnerability exists due to improper credential generation in cloud platform deployments resulting in shared credentials across deployments based on release and cloud platform.

It is important to note that Cisco ISE is affected by this vulnerability when the Primary Administration node is deployed in the cloud. An on-premises Primary Administration node is not affected.

The following platforms and versions are affected

  • AWS Cisco ISE 3.1, 3.2, 3.3 and 3.4
  • Azure Cisco ISE 3.2, 3.3 and 3.4
  • OCI Cisco ISE 3.2, 3.3 and 3.4 

    This vulnerability has been designated CVE-2025-20286 and has a CVSS score of 9.9 (critical).

    What is the impact? #

    Successful exploitation of this vulnerability by an attacker would allow credentials extracted from a Cisco ISE instance to be used on others from the same release on the same cloud platform. This could allow the attacker to access sensitive data, execute limited administrative operations, modify system configurations or disrupt services within the impacted systems.

    Are any updates or workarounds available? #

    Cisco has released updates in the form of a hot fix for releases 3.1 through 3.4. Update to the latest version of the affected software when updates are available.

    Written by Matthew Kienow

    Matthew Kienow is a software engineer and security researcher. Matthew previously worked on the Recog recognition framework, AttackerKB as well as Metasploit's MSF 5 APIs. He has also designed, built, and successfully deployed many secure software solutions; however, often he enjoys breaking them instead. He has presented his research at various security conferences including DerbyCon, Hack In Paris, and CarolinaCon. His research has been cited by CSO, Threatpost and SC Magazine.

    More about Matthew Kienow
    Subscribe Now

    Get the latest news and expert insights delivered in your inbox.

    Welcome to the club! Your subscription to our newsletter is successful.

    Explore more

    Watch Now • On Demand
    Vulnerability management is broken: what's the fix?

    HD Moore and Omdia analyst Rik Turner discuss why traditional vulnerability management is struggling in modern IT infrastructures, why CVEs don’t tell the full story, and why prioritization alone isn’t enough to close critical security gaps.

    Watch Now
    runZero Hour, Episode 17
    The State of Vuln Management, Our Approach, and a Deep Dive into New Risk Findings
    On this special edition of runZero Hour, join VP of Security Research Tod Beardsley and Security Research Director Rob King for a deep dive into the future of exposure management.
    Watch Now
    Product Release
    Tackling the New Era of Exposure Management
    Fixing what’s broken with legacy tools and overcoming decades-old problems requires a new approach. Dive into how we do it at runZero.
    Read More
    Webcast
    The Unreasonable Effectiveness of Inside Out Attack Surface Management
    HD Moore, founder of runZero (and previously Metasploit), presents new research that will forever redefine how you approach attack surface management.
    Watch Now

    See Results in Minutes

    See & secure your total attack surface. Even the unknowns & unmanageable.

    Try runZero for Free
    © Copyright 2025 runZero, Inc. All Rights Reserved