Cisco Identity Services Engine on Cloud Platforms Static Credential Vulnerability

🚨 SEVERITY: CRITICAL — CVSS 9.9 Security Advisory

TL;DR 📌

  • A vulnerability in Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) cloud deployments of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems. This vulnerability exists because credentials are improperly generated when Cisco ISE is being deployed…
  • No fixed release listed yet; apply mitigations and monitor.
  • Workarounds are documented in the advisory.
  • CVEs: CVE-2025-20286.

What happened 🕵️‍♂️

The credentials that exist in Cisco ISE that is deployed in the cloud are specific to each release and platform. For example:

All instances of Release 3.1 on AWS will have the same static credentials. Credentials that are valid for access to a Release 3.1 deployment would not be valid to access a Release 3.2 deployment on the same platform. Release 3.2 on AWS would not have the same credentials as Release 3.2 on Azure.

Affected products 🖥️

This vulnerability affects the following releases of Cisco ISE in the default configuration when it is deployed on AWS, Azure, and OCI platforms: Platform Cisco ISE Vulnerable Releases AWS 3.1, 3.2, 3.3, and 3.4 Azure 3.2, 3.3, and 3.4 OCI 3.2, 3.3, and 3.4 Note: If the Primary Administration node is deployed in the cloud, then Cisco ISE is affected by this vulnerability. If the Primary Administration node is on-premises, then it is not affected.

For information about the fixed Cisco software releases, see the Fixed Software ["#fs"] section of this advisory.

Fixed software 🔧

Upgrade to the first fixed release in your train (or later):

Release / Product First Fixed Release Notes
3.0 and earlier Not applicable.
3.1 ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz This hot fix applies to Releases 3.1 through 3.4.
3.2 ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz This hot fix applies to Releases 3.1 through 3.4.
3.3 ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz This hot fix applies to Releases 3.1 through 3.4.
3.4 ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz This hot fix applies to Releases 3.1 through 3.4.
3.5 Not applicable.
1.3 Added a warning about configuration backups.
1.2 Added Release 3.0, which is not affected.
1.1 Added future fix information.
1.0 Initial public release.

Workarounds 🧯

There are no workarounds that address this vulnerability. However, there are mitigations:

Allow source IPs that use Cloud Security Groups: Allowing the source IP addresses of Customer Administrators that use security groups on cloud platforms restricts access exclusively to authorized administrators before traffic reaches the Cisco ISE instance, effectively blocking any potentially malicious connections. Allow source IPs at Cisco ISE: In the Cisco ISE UI, allow the source IP addresses of Customer Administrators.

For fresh installations, run the application reset-config ise to reset user passwords to a new value. Running the application reset-config ise command is required only on the Primary Administration persona node in the cloud. There is no need to reset secondary nodes. If the Primary Administration persona is on-premises, running the command is not required.

Warnings:

Running the application reset-config ise command will reset Cisco ISE to the factory configuration. For details, see the Cisco ISE Configuration Guide [“https://www.cisco.com/c/en/us/td/docs/security/ise/3-2/cli_guide/b_ise_CLI_Reference_Guide_32/b_ise_CLIReferenceGuide_32_chapter_01.html#wp1727183819”]. If the configuration backup that is being restored was taken before the vulnerability fix was applied, the old credentials will also be restored. Cisco recommends taking a new configuration backup after installing the fix to prevent the old credentials from being restored. If an old backup has been restored, the hot fix must be removed and re-installed.

While these mitigations have been deployed and were proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.

Risk in context 🎯

Use vendor CVSS for prioritization. Consider exposure and asset criticality.

Fast facts ⚡

  • Advisory: cisco-sa-ise-aws-static-cred-FPMjUcm7
  • Initial release: 2025-06-04T16:00:00 UTC
  • Last updated: 2025-06-05T17:26:25 UTC

For leadership 🧭

Executive summary. Risk is Critical (CVSS 9.9) for Cisco, Cisco Identity Services Engine Software. Vendor fixes are available; prioritize upgrade within 48–72 hours based on environment risk.

Why it matters (exposure drivers):

  • Potential service impact and security exposure depend on deployment topology and access paths.
  • Treat internet-exposed or multi-tenant management nodes as higher risk.
  • Ensure monitoring for abnormal auth/config events until upgrades complete.

Remediation & timing:

  • Upgrade to the first fixed release per the table above; schedule an approved change window within 48–72 hours.
  • Change risk: low-to-moderate (standard vendor patch). Validate backups and rollback plan.

Now / Next / Later:

  • Now: Confirm exposure, identify affected versions, and enable monitoring/alerts.
  • Next: Patch according to the fixed software table; verify service health post-change.
  • Later: Add control checks to build pipeline/CMDB to block drift to vulnerable trains.