Latest Cisco Identity Services Engine (ISE) & Cisco ISE Passive Identity Connector (ISE-PIC) vulnerabilities #

Three vulnerabilities have been disclosed in certain versions of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) that could allow an unauthenticated, remote adversary to issue execute commands on the underlying operating system as the root user. There is evidence that this vulnerability is being actively exploited in the wild.

  • Cisco ISE and Cisco ISE-PIC are at risk of an insufficient validation of user-supplied input vulnerability in a specific API. This could allow an unauthenticated, remote adversary to execute arbitrary code on the underlying operating system as the root user via a specially crafted API request. Successful exploitation could allow the adversary to obtain root privileges on an affected device. The adversary does not require any valid credentials to be able to exploit the vulnerability. This vulnerability has been designated CVE-2025-20281 and has been rated critical with a CVSS score of 9.8.
  • Cisco ISE and Cisco ISE-PIC are at risk of an improper privilege management vulnerability in an internal API due to a lack of file validation checks to prevent uploaded files from being stored in privileged directories on an affected system. This could allow an unauthenticated, remote adversary to upload arbitrary files to an affected device and then execute those files on the underlying operating system as the root user. Successful exploitation could allow the adversary to store malicious files on an affected system and then execute arbitrary code or obtain root privileges on an affected device. This vulnerability has been designated CVE-2025-20282 and has been rated critical with a CVSS score of 10.0
  • Cisco ISE and Cisco ISE-PIC are at risk of an insufficient validation of user-supplied input vulnerability in a specific API. This could allow an unauthenticated, remote adversary to execute arbitrary code on the underlying operating system as the root user via a specially crafted API request. Successful exploitation could allow the adversary to obtain root privileges on an affected device. The adversary does not require any valid credentials to be able to exploit the vulnerability. This vulnerability has been designated CVE-2025-20337 and has been rated critical with a CVSS score of 10.0.

The following versions are affected

  • Cisco ISE or ISE-PIC release 3.3 prior to version 3.3 Patch 7
  • Cisco ISE or ISE-PIC release 3.4 prior to version 3.4 Patch 2

What is the impact? #

Successful exploitation of this vulnerability by an attacker would allow credentials extracted from a Cisco ISE instance to be used on others from the same release on the same cloud platform. This could allow the attacker to access sensitive data, execute limited administrative operations, modify system configurations or disrupt services within the impacted systems.

Are any updates or workarounds available? #

Cisco has released updates in the form of patches for releases 3.3 and 3.4. Users should update to the latest version of the affected software.

  • Cisco ISE or ISE-PIC release 3.3 to version 3.3 Patch 7 and later releases
  • Cisco ISE or ISE-PIC release 3.4 to version 3.4 Patch 2 and later releases

Since the initial (version 1.0) advisory publication, Cisco released an improved fix for release 3.3 and recommends upgrading as follows:

  • Release 3.3 Patch 6 should be up upgraded to Release 3.3 Patch 7
  • Hot patch ise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gz or ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz should be up upgraded to Release 3.3 Patch 7 or Release 3.4 Patch 2

How do I find Cisco ISE installations with runZero? #

From the Software Inventory, use the following query to locate potentially impacted installations:

vendor:="Cisco" AND product:="Identity Services Engine"

June 2024: CVE-2025-20286 #

A vulnerability has been disclosed in certain cloud-deployed versions of Cisco Identity Services Engine (ISE) in Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI). The vulnerability exists due to improper credential generation in cloud platform deployments resulting in shared credentials across deployments based on release and cloud platform.

It is important to note that Cisco ISE is affected by this vulnerability when the Primary Administration node is deployed in the cloud. An on-premises Primary Administration node is not affected.

The following platforms and versions are affected

  • AWS Cisco ISE 3.1, 3.2, 3.3 and 3.4
  • Azure Cisco ISE 3.2, 3.3 and 3.4
  • OCI Cisco ISE 3.2, 3.3 and 3.4 

    This vulnerability has been designated CVE-2025-20286 and has a CVSS score of 9.9 (critical).

    What is the impact? #

    Successful exploitation of this vulnerability by an attacker would allow credentials extracted from a Cisco ISE instance to be used on others from the same release on the same cloud platform. This could allow the attacker to access sensitive data, execute limited administrative operations, modify system configurations or disrupt services within the impacted systems.

    Are any updates or workarounds available? #

    Cisco has released updates in the form of a hot fix for releases 3.1 through 3.4. Update to the latest version of the affected software when updates are available.

    Written by Matthew Kienow

    Matthew Kienow is a software engineer and security researcher. Matthew previously worked on the Recog recognition framework, AttackerKB as well as Metasploit's MSF 5 APIs. He has also designed, built, and successfully deployed many secure software solutions; however, often he enjoys breaking them instead. He has presented his research at various security conferences including DerbyCon, Hack In Paris, and CarolinaCon. His research has been cited by CSO, Threatpost and SC Magazine.

    More about Matthew Kienow
    Subscribe Now

    Get the latest news and expert insights delivered in your inbox.

    Welcome to the club! Your subscription to our newsletter is successful.

    See Results in Minutes

    See & secure your total attack surface. Even the unknowns & unmanageable.