What are the three exploited Cisco ISE vulnerabilities?

The three actively exploited vulnerabilities are CVE-2025-20281 (unauthenticated RCE in specific APIs allowing arbitrary OS commands as root), CVE-2025-20282 (unauthenticated RCE in internal APIs enabling arbitrary file upload and execution with root privileges), and CVE-2025-20337 (unauthenticated RCE caused by insufficient input validation in ISE APIs allowing root access through crafted requests).

What is CVE-2025-20281?

CVE-2025-20281 is an unauthenticated remote code execution vulnerability in specific APIs of Cisco ISE and ISE-PIC that allows attackers to execute arbitrary operating system commands as root through insufficient validation of user-supplied input.

What is CVE-2025-20282?

CVE-2025-20282 is an unauthenticated remote code execution vulnerability in internal APIs that enables attackers to upload arbitrary files to privileged directories and execute them with root privileges due to inadequate file validation checks.

What is CVE-2025-20337?

CVE-2025-20337 is an unauthenticated remote code execution vulnerability caused by insufficient input validation in ISE APIs, allowing unauthenticated remote attackers to obtain root privileges through crafted API requests.

Are these Cisco ISE vulnerabilities being exploited in the wild?

Yes, Cisco has confirmed that all three maximum-severity remote code execution vulnerabilities (CVE-2025-20281, CVE-2025-20282, and CVE-2025-20337) are now being actively exploited by threat actors in real-world attacks.

What should organizations do about these exploited Cisco ISE vulnerabilities?

Organizations should apply the latest patches to ISE immediately. Given that these vulnerabilities are being actively exploited and allow unauthenticated remote code execution with root privileges, patching should be treated as an urgent priority.

Do these vulnerabilities require authentication to exploit?

No, all three vulnerabilities (CVE-2025-20281, CVE-2025-20282, and CVE-2025-20337) are unauthenticated remote code execution vulnerabilities, meaning attackers can exploit them without needing valid credentials or prior access to the systems.

What level of access do these Cisco ISE vulnerabilities provide to attackers?

All three vulnerabilities allow attackers to achieve root privileges on compromised Cisco ISE and ISE-PIC systems. Root access provides the highest level of system control, allowing attackers to execute any commands, access all data, and completely compromise the network access control infrastructure.

What makes these Cisco ISE vulnerabilities particularly dangerous?

These vulnerabilities are particularly dangerous because they combine maximum severity (allowing complete system compromise), require no authentication to exploit, are being actively exploited in the wild, and target critical network infrastructure that controls access and security policies for entire organizational networks.

Attack

Cisco ISE vulnerabilities actively exploited

published: July 23, 2025

Take action: If you still haven't patched your Cisco Identity Services Engine (ISE), DO IT NOW! Your Cisco ISE is being actively attacked. So don't wait.

Learn More

Cisco is reporting that three maximum-severity remote code execution vulnerabilities affecting its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) are now being actively exploited by threat actors.

Cisco Identity Services Engine is a network access control and policy enforcement platform used by organizations worldwide to manage device authentication, authorization, and compliance monitoring. A successful compromise of these systems could provide attackers with visibility into network traffic, the ability to modify security policies, and potential access to sensitive organizational data flowing through the network infrastructure.

The exploited vulnerabilities are:

CVE-2025-20281 - An unauthenticated remote code execution vulnerability in specific APIs of Cisco ISE and ISE-PIC that allows attackers to execute arbitrary operating system commands as root through insufficient validation of user-supplied input.
CVE-2025-20282 - An unauthenticated remote code execution vulnerability in internal APIs that enables attackers to upload arbitrary files to privileged directories and execute them with root privileges due to inadequate file validation checks.
CVE-2025-20337 - An unauthenticated remote code execution vulnerability caused bt insufficient input validation in ISE APIs, allowing unauthenticated remote attackers to obtain root privileges through crafted API requests.

Organizations should apply latest patches to ISE immediately.

Update - As of 28th of July 2028, security researcher Bobby Gould published a PoC exploit chain for CVE-2025-20281 and CVE-2025-20337.

Cisco ISE vulnerabilities actively exploited

Read More
Cisco patches actively exploited Zero-Day vulnerability in IOS …
Atlassian Confluence vulnerability exploited in active hacks by …
Attacks Target Freshly Patched Critical Fortinet Flaws
CISA reports active exploitation of Advantive VeraCore flaws
Active attacks reported against end-of-life Zyxel NAS devices