Cisco patches two critical flaws in its Identity Services Engine
Take action: If you are using Cisco Identity Services Engine (and ISE Passive Identity Connector, this is on your next priority patching list. The flaws are critical but still require authentication to be exploited. That buys you a little time to plan out a patch. Just don't ignore this flaw, someone will expose their credentials and a hacker will gain access.
Learn More
Cisco has disclosed and patched two critical vulnerabilities in their Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) systems.
- CVE-2025-20124 (CVSS score 9.9) - Allows execution of arbitrary commands as root through insecure deserialization of Java byte streams in an affected API. Exploitation involves sending crafted serialized Java objects.
- CVE-2025-20125 (CVSS score 9.1) - Authorization bypass vulnerability enabling attackers to obtain sensitive information, modify node configurations, and force system restarts through crafted HTTP requests.
Both vulnerabilities require valid read-only administrative credentials for exploitation and affect ISE versions 3.0 through 3.3. Version 3.4 is not vulnerable. Cisco has provided patches through the following fixed releases:
- Version 3.0: Migration to a fixed release required
- Version 3.1: Update to 3.1P10
- Version 3.2: Update to 3.2P7
- Version 3.3: Update to 3.3P4
The vulnerabilities are independent, meaning exploitation of one is not required to leverage the other. Cisco reports no known exploits in the wild.
Cisco emphasizes there are no workarounds available, making patching essential. Organizations using affected versions should update through their regular software update channels. For those without service contracts, updates can be obtained through Cisco's Technical Assistance Center (TAC).
