Cisco Identity Services Engine Authenticated Remote Code Execution and Authorization Bypass Vulnerabilities
TL;DR π
- Multiple vulnerabilities in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, remote attacker to issue commands on the underlying operating system as the root user and allow IP access filters to be bypassed. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. For moreβ¦
- No fixed release listed yet; apply mitigations and monitor.
- Workarounds are documented in the advisory.
- CVEs: CVE-2025-20284, CVE-2025-20283, CVE-2025-20285.
What happened π΅οΈββοΈ
The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit another vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities.
Details about the vulnerabilities are as follows:
CVE-2025-20283 and CVE-2025-20284: Cisco ISE API Authenticated Remote Code Execution Vulnerabilities
Multiple vulnerabilities in a specific API of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to execute arbitrary code on the underlying operating system as root.
These vulnerabilities are due to insufficient validation of user-supplied input. An attacker with valid credentials could exploit these vulnerabilities by submitting a crafted API request. A successful exploit could allow the attacker to execute commands as the root user. To exploit these vulnerabilities, the attacker must have valid high-privileged credentials.
Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.
Bug ID(s): CSCwp02806 [“https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwp02806”] and CSCwp02819 [“https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwp02819”] CVE ID: CVE-2025-20283 and CVE-2025-20284 Security Impact Rating (SIR): Medium CVSS Base Score: 6.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
CVE-2025-20285: Cisco ISE IP Access Restriction for Admin Access Bypass Vulnerability
A vulnerability in the IP Access Restriction feature of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to bypass configured IP access restrictions and log in to the device from a disallowed IP address.
This vulnerability is due to improper enforcement of access controls that are configured using the IP Access Restriction feature. An attacker could exploit this vulnerability by logging in to the API from an unauthorized source IP address. A successful exploit could allow the attacker to gain access to the targeted device from an IP address that should have been restricted. To exploit this vulnerability, the attacker must have valid administrative credentials.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.
Bug ID(s): CSCwp02811 [“https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwp02811”] CVE ID: CVE-2025-20285 Security Impact Rating (SIR): Medium CVSS Base Score: 4.1 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N
Affected products π₯οΈ
CVE-2025-20283 and CVE-2025-20284: At the time of publication, these vulnerabilities affected Cisco ISE and Cisco ISE-PIC, regardless of device configuration.
CVE-2025-20285: At the time of publication, this vulnerability affected Cisco ISE and Cisco ISE-PIC if the IP Access Restriction feature was enabled.
Note: The IP Access Restriction feature allows administrators to control which IP address or range of IP addresses can access the Cisco ISE admin portal and services. For more details, see Configure IP Access Restriction in ISE [“https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/222103-configure-ip-access-restriction-in-ise.html”].
For information about which Cisco software releases were vulnerable at the time of publication, see the Fixed Software ["#fs"] section of this advisory. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information.
Fixed software π§
Upgrade to the first fixed release in your train (or later):
| Release / Product | First Fixed Release | Notes |
|---|---|---|
| 3.2 and earlier | Not vulnerable. | |
| 3.3 | 3.3 Patch 7 | |
| 3.4 | 3.4 Patch 2 | |
| 1.0 | Initial public release. |
Workarounds π§―
There are no workarounds that address these vulnerabilities.
Risk in context π―
Use vendor CVSS for prioritization. Consider exposure and asset criticality.
Fast facts β‘
- Advisory: cisco-sa-ise-multi-3VpsXOxO
- Initial release: 2025-07-16T16:00:00 UTC
- Last updated: 2025-07-16T16:00:00 UTC
For leadership π§
Executive summary. Risk is Medium (CVSS 6.5) for Cisco, Cisco Identity Services Engine Software. Vendor fixes are available; prioritize upgrade within 30 days based on environment risk.
Why it matters (exposure drivers):
- Potential service impact and security exposure depend on deployment topology and access paths.
- Treat internet-exposed or multi-tenant management nodes as higher risk.
- Ensure monitoring for abnormal auth/config events until upgrades complete.
Remediation & timing:
- Upgrade to the first fixed release per the table above; schedule an approved change window within 30 days.
- Change risk: low-to-moderate (standard vendor patch). Validate backups and rollback plan.
Now / Next / Later:
- Now: Confirm exposure, identify affected versions, and enable monitoring/alerts.
- Next: Patch according to the fixed software table; verify service health post-change.
- Later: Add control checks to build pipeline/CMDB to block drift to vulnerable trains.