Skip to main content

Cisco Releases Security Advisory Affecting Cisco Identity Service Engine

Advisory addresses three critical severity vulnerabilities in Cisco Identity Service Engine which could lead to remote code execution

Threat ID:
CC-4675
Threat Severity:
Medium
Published:
26 June 2025 4:59 PM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Advisory addresses three critical severity vulnerabilities in Cisco Identity Service Engine which could lead to remote code execution

Affected platforms

The following platforms are known to be affected:

Cisco ISE

Cisco ISE

  • 3.3 and later

Cisco ISE Passive Identity Connector (ISE-PIC)

  • 3.3 and later

Threat details

Proof-of-concept exploit released for CVE-2025-20281

A public proof-of-concept exploit is available for CVE-2025-20281. The NHS England National CSOC assesses exploitation of this vulnerability as more likely.

Introduction

Cisco has released a security advisory addressing three vulnerabilities, affecting Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) . 

  • CVE-2025-20281 Cisco ISE API Unauthenticated Remote Code Execution Vulnerability

CVE-2025-20281 is an 'API unauthenticated remote code execution' vulnerability with a CVSSv3 score of 10. Successful exploitation could allow a remote, unauthenticated attacker to send crafted API requests, leading to arbitrary code execution (ACE) on the underlying operating system with root privileges.

  • CVE-2025-20282 Cisco ISE API Unauthenticated Remote Code Execution Vulnerability

CVE-2025-20282 is an 'API unauthenticated remote code execution' vulnerability with a CVSSv3 score of 10. Successful exploitation could allow a remote, unauthenticated attacker to upload arbitrary files, leading to arbitrary code execution (ACE) or gaining root privileges on the system.

  • CVE-2025-20337 Cisco ISE API Unauthenticated Remote Code Execution Vulnerability

Similar to CVE-2025-20281, CVE-2025-20337 is an 'API unauthenticated remote code execution' vulnerability with a CVSSv3 score of 10. Successful exploitation could allow a remote, unauthenticated attacker to send crafted API requests, leading to arbitrary code execution (ACE) on the underlying operating system with root privileges.

Threat updates

Date Update
17 Jul 2025 Cyber alert updated to reflect changes in the advisory

CVE-2025-20337 was added to the advisory and the CVSS score on CVE-2025-20281 was raised to the new score of 10.
30 Jun 2025 Proof-of-concept exploit released for CVE-2025-20281

Remediation advice

Affected organisations are encouraged to review Cisco Security Advisory cisco-sa-ise-unauth-rce-ZAd2GnJ6 and apply the relevant updates.

CVE Vulnerabilities

Status Published

CVE-2025-20281

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this vulnerability. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device.
Status Published

CVE-2025-20282

A vulnerability in an internal API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device and then execute those files on the underlying operating system as root. This vulnerability is due a lack of file validation checks that would prevent uploaded files from being placed in privileged directories on an affected system. An attacker could exploit this vulnerability by uploading a crafted file to the affected device. A successful exploit could allow the attacker to store malicious files on the affected system and then execute arbitrary code or obtain root privileges on the system.
Status Published

CVE-2025-20337

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this vulnerability. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device.

Last edited: 17 July 2025 11:25 am