TL;DR 📌

A medium-severity vulnerability has been identified in the Cisco Identity Services Engine (ISE) that allows authenticated attackers with administrative privileges to upload arbitrary files. No workarounds are available, and software updates have been released to address this issue.

What happened 🕵️‍♂️

A vulnerability in the GUI of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker with administrative privileges to upload files to an affected device. This vulnerability arises from improper validation of the file copy function, enabling attackers to exploit it by sending a crafted file upload through the Cisco ISE GUI. A successful exploit could lead to arbitrary file uploads on the affected system.

TL;DR 📌

Multiple stored cross-site scripting (XSS) vulnerabilities have been identified in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC). These vulnerabilities could allow authenticated attackers to modify configurations or execute malicious scripts. Software updates are available to address these issues, but no workarounds exist.

What happened 🕵️‍♂️

Cisco has disclosed multiple vulnerabilities in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC). These vulnerabilities could allow an authenticated, remote attacker to conduct stored XSS attacks or modify device configurations. The vulnerabilities stem from insufficient validation of user input and lack of server-side validation of administrator permissions.

TL;DR 📌

• A vulnerability in Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) cloud deployments of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems. This vulnerability exists because credentials are improperly generated when Cisco ISE is being deployed…
• No fixed release listed yet; apply mitigations and monitor.
• Workarounds are documented in the advisory.
• CVEs: CVE-2025-20286.

What happened 🕵️‍♂️

The credentials that exist in Cisco ISE that is deployed in the cloud are specific to each release and platform. For example:

TL;DR 📌

• A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to bypass the authorization mechanisms for specific administrative functions. This vulnerability is due to insufficient authorization enforcement mechanisms for users created by SAML SSO integration with an external identity provider. An attacker could exploit this vulnerability by submitting a series of…
• No fixed release listed yet; apply mitigations and monitor.
• Workarounds are documented in the advisory.
• CVEs: CVE-2025-20264.

What happened 🕵️‍♂️

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to bypass the authorization mechanisms for specific administrative functions.

TL;DR 📌

• A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code…
• No fixed release listed yet; apply mitigations and monitor.
• Workarounds are documented in the advisory.
• CVEs: CVE-2025-20267.

What happened 🕵️‍♂️

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface.

TL;DR 📌

• Multiple vulnerabilities in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, remote attacker to issue commands on the underlying operating system as the root user and allow IP access filters to be bypassed. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. For more…
• No fixed release listed yet; apply mitigations and monitor.
• Workarounds are documented in the advisory.
• CVEs: CVE-2025-20284, CVE-2025-20283, CVE-2025-20285.

What happened 🕵️‍♂️

The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit another vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities.

TL;DR 📌

• Multiple vulnerabilities in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an unauthenticated, remote attacker to issue commands on the underlying operating system as the root user. For more information about these vulnerabilities, see the Details ["#details"] section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds…
• No fixed release listed yet; apply mitigations and monitor.
• Workarounds are documented in the advisory.
• CVEs: CVE-2025-20282, CVE-2025-20281, CVE-2025-20337.

What happened 🕵️‍♂️

The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit another vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities.