Cisco Identity Services Engine Unauthenticated Remote Code Execution Vulnerabilities

🚨 SEVERITY: CRITICAL — CVSS 10.0 Security Advisory

TL;DR 📌

  • Multiple vulnerabilities in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an unauthenticated, remote attacker to issue commands on the underlying operating system as the root user. For more information about these vulnerabilities, see the Details ["#details"] section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds…
  • No fixed release listed yet; apply mitigations and monitor.
  • Workarounds are documented in the advisory.
  • CVEs: CVE-2025-20282, CVE-2025-20281, CVE-2025-20337.

What happened 🕵️‍♂️

The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit another vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities.

Details about the vulnerabilities are as follows:

CVE-2025-20281 and CVE-2025-20337: Cisco ISE API Unauthenticated Remote Code Execution Vulnerabilities

Multiple vulnerabilities in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit these vulnerabilities.

These vulnerabilities are due to insufficient validation of user-supplied input. An attacker could exploit these vulnerabilities by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device.

Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.

Bug ID(s): CSCwo99449 [“https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwo99449”] and CSCwp02814 [“https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwp02814”] CVE ID: CVE-2025-20281, CVE-2025-20337 Security Impact Rating (SIR): Critical CVSS Base Score: 10.0 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2025-20282: Cisco ISE API Unauthenticated Remote Code Execution Vulnerability

A vulnerability in an internal API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device and then execute those files on the underlying operating system as root.

This vulnerability is due a lack of file validation checks that would prevent uploaded files from being placed in privileged directories on an affected system. An attacker could exploit this vulnerability by uploading a crafted file to the affected device. A successful exploit could allow the attacker to store malicious files on the affected system and then execute arbitrary code or obtain root privileges on the system.

Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. Bug ID(s): CSCwp02821 [“https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwp02821”] CVE ID: CVE-2025-20282 Security Impact Rating (SIR): Critical CVSS Base Score: 10.0 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected products 🖥️

CVE-2025-20281 and CVE-2025-20337: These vulnerabilities affect Cisco ISE and ISE-PIC releases 3.3 and 3.4, regardless of device configuration. These vulnerabilities do not affect Cisco ISE and ISE-PIC Release 3.2 or earlier.

CVE-2025-20282: This vulnerability affects only Cisco ISE and ISE-PIC Release 3.4, regardless of device configuration. This vulnerability does not affect Cisco ISE and ISE-PIC Release 3.3 or earlier.

Fixed software 🔧

Upgrade to the first fixed release in your train (or later):

Release / Product First Fixed Release Notes
3.2 and earlier Not vulnerable
3.3 3.3 Patch 7
3.4 3.4 Patch 2
2.2 Added the CVEs for which exploitation attempts have been observed.
2.1 Updated to indicate active exploitation attempts in the wild.
2.0 Updated Cisco ISE code fix, added CVE-2025-20337, and added CSCwp02814.
1.0 Initial public release.

Workarounds 🧯

There are no workarounds that address these vulnerabilities.

Risk in context 🎯

Use vendor CVSS for prioritization. Consider exposure and asset criticality.

Fast facts ⚡

  • Advisory: cisco-sa-ise-unauth-rce-ZAd2GnJ6
  • Initial release: 2025-06-25T16:00:00 UTC
  • Last updated: 2025-07-24T23:30:31 UTC

For leadership 🧭

Executive summary. Risk is Critical (CVSS 10.0) for Cisco, Cisco Identity Services Engine Software. Vendor fixes are available; prioritize upgrade within 48–72 hours based on environment risk.

Why it matters (exposure drivers):

  • Potential service impact and security exposure depend on deployment topology and access paths.
  • Treat internet-exposed or multi-tenant management nodes as higher risk.
  • Ensure monitoring for abnormal auth/config events until upgrades complete.

Remediation & timing:

  • Upgrade to the first fixed release per the table above; schedule an approved change window within 48–72 hours.
  • Change risk: low-to-moderate (standard vendor patch). Validate backups and rollback plan.

Now / Next / Later:

  • Now: Confirm exposure, identify affected versions, and enable monitoring/alerts.
  • Next: Patch according to the fixed software table; verify service health post-change.
  • Later: Add control checks to build pipeline/CMDB to block drift to vulnerable trains.