Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerabilities
TL;DR 📌
Multiple stored cross-site scripting (XSS) vulnerabilities have been identified in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC). These vulnerabilities could allow authenticated attackers to modify configurations or execute malicious scripts. Software updates are available to address these issues, but no workarounds exist.
What happened 🕵️♂️
Cisco has disclosed multiple vulnerabilities in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC). These vulnerabilities could allow an authenticated, remote attacker to conduct stored XSS attacks or modify device configurations. The vulnerabilities stem from insufficient validation of user input and lack of server-side validation of administrator permissions.
Affected products 🖥️
- Cisco Identity Services Engine (ISE) Software
- Cisco ISE Passive Identity Connector (ISE-PIC) Software (affected by CVE-2025-20331 only)
Fixed software 🔧
Upgrade to the first fixed release in your train (or later):
| Release / Product | First Fixed Release | Notes |
|---|---|---|
| 3.0 and earlier | Migrate to a fixed release. | |
| 3.1 | 3.1P10 | |
| 3.3 | 3.3P4 | |
| 3.4 | Not vulnerable. | |
| 3.2 | 3.2P8 (Nov 2025) | |
| 1.0 | Initial public release. |
Workarounds 🧯
There are no workarounds available to mitigate these vulnerabilities.
Risk in context 🎯
The highest CVSS score for these vulnerabilities is 5.4, categorizing them as Medium severity. Exploitation requires authenticated access, which limits exposure but still poses a risk to sensitive information and device integrity.
Fast facts ⚡
- Vulnerabilities: CVE-2025-20331 (Stored XSS), CVE-2025-20332 (Authorization Bypass)
- Highest CVSS Score: 5.4 (Medium Severity)
- No workarounds available
- Software updates are necessary to mitigate risks
For leadership 🧭
The vulnerabilities in Cisco ISE and ISE-PIC present a Medium risk to our organization. While exploitation requires authenticated access, the potential for unauthorized configuration changes and execution of malicious scripts could lead to significant security incidents.
Remediation ask: Patch affected systems within 7 days, as fixes are available.
Operational impact: Expect a brief maintenance window with no anticipated configuration drift.
Now / Next / Later:
- Now: Identify affected systems and schedule updates.
- Next: Apply patches to vulnerable software versions.
- Later: Monitor for any signs of exploitation and review security policies to prevent similar vulnerabilities in the future.