What is the new Cisco ISE vulnerability CVE-2025-20337?

CVE-2025-20337 is a third critical security vulnerability affecting Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) platforms with a maximum CVSS severity score of 10.0. It's caused by insufficient input validation in ISE APIs, allowing unauthenticated remote attackers to obtain root privileges through crafted API requests.

How many critical Cisco ISE vulnerabilities have been reported recently?

Cisco has reported three critical security vulnerabilities affecting ISE and ISE-PIC platforms: CVE-2025-20337, CVE-2025-20281, and CVE-2025-20282. All three vulnerabilities have the maximum CVSS severity score of 10.0 and allow unauthenticated remote attackers to execute arbitrary commands with root privileges.

Which Cisco ISE versions are affected by these critical vulnerabilities?

CVE-2025-20281 and CVE-2025-20337 affect ISE and ISE-PIC releases 3.3 and 3.4, regardless of device configuration. CVE-2025-20282 impacts only version 3.4. Cisco ISE and ISE-PIC Release 3.2 and earlier versions are not vulnerable to any of these flaws.

What do these Cisco ISE vulnerabilities allow attackers to do?

All three vulnerabilities allow unauthenticated remote attackers to execute arbitrary commands with root privileges. CVE-2025-20281 and CVE-2025-20337 exploit insufficient API input validation, while CVE-2025-20282 enables attackers to upload arbitrary files to privileged directories and execute them due to inadequate file validation checks.

What are the current patching requirements for Cisco ISE?

Organizations running Release 3.4 Patch 2 are fully patched against all three vulnerabilities. Those on Release 3.3 Patch 6 must upgrade to Release 3.3 Patch 7 to patch for CVE-2025-20337. The previously released hot patches (ise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gz and ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz) have been deprecated.

What is Cisco Identity Services Engine (ISE)?

Cisco Identity Services Engine (ISE) is a network access control and policy enforcement platform. ISE Passive Identity Connector (ISE-PIC) is a related component. These platforms are now affected by three critical vulnerabilities that could allow complete system compromise through unauthenticated remote access.

What is the CVSS score for all three Cisco ISE vulnerabilities?

All three Cisco ISE vulnerabilities (CVE-2025-20337, CVE-2025-20281, and CVE-2025-20282) have the maximum CVSS severity score of 10.0, indicating the most critical level of security risk with potential for complete system compromise.

Advisory

Cisco reports another critical vulnerability in Cisco ISE that enable enable unauthenticated root code execution

Q: Are customers who patched previous Cisco ISE vulnerabilities protected from CVE-2025-20337?

No, customers who applied patches for CVE-2025-20281 and CVE-2025-20282 are not protected from CVE-2025-20337 and need to upgrade to ISE 3.3 Patch 7 or ISE 3.4 Patch 2. Previously released hot patches have been deprecated as they failed to address CVE-2025-20337.

Q: Are the Cisco ISE vulnerabilities related to each other?

No, the vulnerabilities are independent of each other. Exploiting one does not require exploitation of another, and a software release affected by one vulnerability may not be affected by others. Each vulnerability has its own specific impact on different ISE versions.

published: July 17, 2025

Take action: If you haven't patched your Cisco Identity Services Engine (ISE), DO IT NOW! Even if you already patched, you probably need to patch again. There are three maximum severity flaws that will harm your ISE. Cisco ISE usually controls network access to a lot of the infrastructure, so you don't want it to be hacked.

Learn More

Cisco is reporting a third critical security vulnerability affecting its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) platforms that could allow unauthenticated remote attackers to execute arbitrary commands with root privileges.

As with the two previously reported flaws it's got the maximum CVSS severity score of 10.0

Vulnerability summary

CVE-2025-20337 (CVSS score 10.0) - A recently disclosed vulnerability similar to CVE-2025-20281, caused by insufficient input validation in ISE APIs, allowing unauthenticated remote attackers to obtain root privileges through crafted API requests.

Previously reported critical flaws

CVE-2025-20281 (CVSS score 10.0) - An unauthenticated remote code execution vulnerability in specific APIs of Cisco ISE and ISE-PIC that allows attackers to execute arbitrary operating system commands as root through insufficient validation of user-supplied input.
CVE-2025-20282 (CVSS score 10.0) - An unauthenticated remote code execution vulnerability in internal APIs that enables attackers to upload arbitrary files to privileged directories and execute them with root privileges due to inadequate file validation checks.

The vulnerabilities are independent of each other - exploiting one does not require exploitation of another, and a software release affected by one vulnerability may not be affected by others.

The vulnerabilities impact different versions of Cisco ISE and ISE-PIC depending on the specific flaw:

CVE-2025-20281 and CVE-2025-20337 affect ISE and ISE-PIC releases 3.3 and 3.4, regardless of device configuration
CVE-2025-20282 impacts only version 3.4. Cisco ISE and ISE-PIC Release 3.2 and earlier versions are not vulnerable to any of these flaws.

Organizations running Release 3.4 Patch 2 are fully patched, but those on Release 3.3 Patch 6 must upgrade to Release 3.3 Patch 7 to patch for CVE-2025-20337

The company warned that customers who applied patches for CVE-2025-20281 and CVE-2025-20282 are not protected from CVE-2025-20337 and need to upgrade to ISE 3.3 Patch 7 or ISE 3.4 Patch 2. Previously released hot patches (ise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gz and ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz) have been deprecated as they failed to address CVE-2025-20337.

Update - As of 28th of July 2028, security researcher Bobby Gould published a PoC exploit chain for CVE-2025-20281 and CVE-2025-20337.

Cisco reports another critical vulnerability in Cisco ISE that enable enable unauthenticated root code execution

Read More
Fortinet reports new max severity issues in FortiSIEM …
Ubiquiti EdgeRouter Vulnerability has a PoC exploit which …
Veritas warns of critical flaws in Enterprise Vault
CISA warns of ZKTeco BioTime flaw actively exploited …
TETRA radio comms used by emergency services vulnerable …