Cisco has issued urgent security updates to fix two critical remote code execution (RCE) vulnerabilities found in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC). These flaws can allow unauthenticated remote attackers to gain root-level access to affected systems—posing a severe threat to enterprise networks.
Both vulnerabilities have been assigned a CVSS score of 10.0, which is the highest possible rating, indicating maximum severity and risk. The flaws are tracked as:
CVE-2025-20281 – Affects Cisco ISE and ISE-PIC version 3.3 and later. It allows an attacker to send a specially crafted API request and execute code remotely as root without authentication.
CVE-2025-20282 – Affects Cisco ISE and ISE-PIC version 3.4. It enables attackers to upload and execute arbitrary files on the system with root privileges, again without needing to log in.
According to Cisco, the first vulnerability (CVE-2025-20281) is due to insufficient validation of user input. By sending a maliciously crafted API request, an attacker can trick the system into granting root-level privileges and execute arbitrary commands.
The second flaw (CVE-2025-20282) is caused by a lack of proper file validation. This means an attacker can upload dangerous files into protected system directories and then execute them as root, completely compromising the device.
Cisco warns:
“A successful exploit could allow the attacker to store malicious files on the affected system and then execute arbitrary code or obtain root privileges.”
At this time, no workarounds are available to mitigate these issues. Organizations using affected versions of Cisco ISE or ISE-PIC must immediately apply the official patches released by Cisco.
For CVE-2025-20281:
ISE or ISE-PIC 3.3 Patch 6
File:
ise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gz
ISE or ISE-PIC 3.4 Patch 2
File:
ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz
For CVE-2025-20282:
ISE or ISE-PIC 3.4 Patch 2
File:
ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz
If your organization is using any version 3.3 or 3.4 of Cisco ISE or ISE-PIC, you should verify the patch level immediately and apply the appropriate security update without delay.
Cisco credited Bobby Gould of Trend Micro’s Zero Day Initiative and Kentaro Kawane of GMO Cybersecurity for responsibly disclosing CVE-2025-20281.
Kentaro Kawane is also recognized for reporting CVE-2025-20282. Notably, he was previously credited with another critical issue (CVE-2025-20286, CVSS score: 9.9).
Cisco ISE is widely used by large organizations to manage network access, monitor users and devices, and enforce security policies. When a vulnerability allows attackers to bypass authentication and execute code as root, it effectively gives them full control of the device. This could lead to:
Unauthorized access to sensitive network data
Deployment of ransomware or spyware
Lateral movement to other internal systems
Complete takeover of network access policies
Such a critical entry point could become the first step in a larger breach. While Cisco has not observed active exploitation yet, vulnerabilities of this magnitude are highly attractive to threat actors, especially state-sponsored hackers and ransomware groups.
If your organization uses Cisco ISE or ISE-PIC, follow these best practices:
Patch Immediately: Apply the latest Cisco patches to ISE and ISE-PIC systems.
Audit Access Logs: Look for suspicious activity or unauthorized access attempts.
Restrict External Access: Ensure management interfaces are not exposed to the public internet.
Enable Monitoring: Use SIEM tools to monitor for unusual behavior from ISE systems.
Backup Configurations: Keep a secure backup of your current ISE configuration in case recovery is needed.
Although there is currently no evidence of in-the-wild exploitation, the critical nature of these vulnerabilities means threat actors may begin scanning for unpatched systems very soon. Public disclosure often acts as a starting gun for attackers to develop and launch exploits.
Organizations are strongly urged to treat this as a priority-1 security issue and patch their systems within 24 to 48 hours.
The discovery of these high-impact vulnerabilities in Cisco ISE and ISE-PIC highlights the importance of proactive patch management and vulnerability awareness. As security perimeters blur and identity services become central to network security, flaws in platforms like Cisco ISE can open the door to catastrophic breaches.
Stay protected by keeping systems updated, monitoring vendor advisories, and ensuring your team is ready to respond swiftly to emerging threats.
Interesting Article : Citrix Patches Critical CVE-2025-6543 Bug in NetScaler ADC Under Active Exploitation
Pingback: CI/CD Flaw in Open VSX Could Let Hackers Hijack VS Code MarketPlace