Cisco has issued an updated security advisory confirming that hackers are now actively exploiting multiple severe vulnerabilities in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC). These flaws, if unpatched, can allow remote attackers to gain full root-level control over targeted systems — without any need for a username or password.
In a warning released on Monday, July 21, 2025, Cisco’s Product Security Incident Response Team (PSIRT) said it detected real-world attempts to abuse these vulnerabilities starting earlier this month.
“In July 2025, Cisco PSIRT became aware of attempted exploitation of some of these vulnerabilities in the wild,” the company stated in its security alert.
However, Cisco did not reveal which exact bugs are being exploited, who the attackers are, or how widespread the activity is. This leaves organizations around the world on high alert, especially those using Cisco’s ISE for access control.
What Is Cisco ISE and Why Is It Important?
Cisco Identity Services Engine (ISE) is a powerful network access control solution used by enterprises to manage who and what is allowed to connect to their internal networks. It enforces security policies, verifies user identities, and checks device compliance before allowing access.
Because ISE sits at the very gateway of network access, any security hole in it could be a golden opportunity for attackers. A compromised ISE system could allow hackers to:
Bypass all authentication checks
Hide their activity from logging systems
Move freely within the internal network
Install malware or steal data with root-level privileges
The vulnerabilities confirmed by Cisco are critical in nature, with the highest severity rating of CVSS 10.0. All of them can be exploited remotely without authentication — a serious red flag for any IT or security team.
Here are the key vulnerabilities identified:
CVE-2025-20281 and CVE-2025-20337
These are multiple flaws in a specific API component of Cisco ISE. The issues arise due to poor validation of user input, allowing attackers to send specially crafted API requests. If successful, this could lead to arbitrary code execution on the system with root-level access.CVE-2025-20282
This vulnerability is found in an internal API and occurs due to the system’s failure to properly check uploaded files. An attacker can upload malicious files to restricted directories and then execute them — again with root access.
In simpler terms, these flaws let attackers run their own programs inside your network as if they were the system administrator — and they don’t even need to log in first.
These vulnerabilities work because of two major weaknesses in Cisco’s ISE software:
Lack of Input Validation: The system doesn’t check carefully what data it’s receiving, allowing hackers to insert dangerous commands through APIs (CVE-2025-20281 and CVE-2025-20337).
Improper File Handling: The system doesn’t properly validate uploaded files, which can be placed in powerful system folders and executed (CVE-2025-20282).
A remote attacker could exploit these issues by simply sending a specially crafted request or uploading a dangerous file to the targeted device — no login or prior access required.
Given that active exploitation is already underway, organizations must act quickly to protect their networks. Cisco has released patched versions of ISE software that fix these vulnerabilities.
Here’s what cybersecurity teams should do immediately:
Apply the latest Cisco ISE software updates from Cisco’s official support portal.
Check system logs for unusual API requests or unauthorized file uploads.
Isolate exposed ISE instances from the public internet, if possible.
Monitor for Indicators of Compromise (IoCs) related to these CVEs.
Leaving systems unpatched puts your entire internal network at risk, especially if your ISE setup is accessible from the internet or used to manage access in regulated environments like finance, healthcare, or government.
This development is another reminder of how critical it is to maintain strict patch management policies. The fact that these Cisco ISE vulnerabilities are unauthenticated remote code execution bugs — now being actively exploited — makes them a high-priority concern.
Organizations that rely on Cisco ISE should treat this as an urgent security event. Patching and proactive monitoring are the only ways to stop attackers from turning a trusted network security tool into a dangerous backdoor.
Interesting Article : CVE-2025-53770, SharePoint Zero-Day Exploited in Ongoing Attacks, Patch Released
Pingback: SysAid Zero-Day: CVE-2025-2775 and CVE-2025-2776 Exploited in the Wild