What critical vulnerabilities did Cisco report in Identity Services Engine?

Cisco has issued an emergency security advisory for two critical vulnerabilities in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) platforms: CVE-2025-20281 and CVE-2025-20282, both with perfect CVSS scores of 10.0. These vulnerabilities could allow unauthenticated attackers to achieve complete system compromise.

What is Cisco Identity Services Engine (ISE)?

Cisco Identity Services Engine (ISE) is a comprehensive network access control and policy enforcement platform that provides centralized authentication, authorization, and accounting (AAA) services. It's widely used in enterprise environments to control network access, enforce security policies, and monitor user activity across network infrastructure.

What is CVE-2025-20281?

CVE-2025-20281 (CVSS score 10) is an API input validation vulnerability affecting Cisco ISE and ISE-PIC releases 3.3 and later. This flaw allows unauthenticated remote attackers to execute arbitrary code on the underlying operating system as root through insufficient validation of user-supplied input. Attackers can exploit this by submitting crafted API requests.

What is CVE-2025-20282?

CVE-2025-20282 (CVSS score 10) is an internal API file upload vulnerability affecting only Cisco ISE and ISE-PIC Release 3.4. This vulnerability stems from a lack of file validation checks that would prevent uploaded files from being placed in privileged directories. Attackers can upload crafted files to store malicious content and subsequently execute arbitrary code with root privileges.

Why do these vulnerabilities have perfect CVSS scores of 10.0?

These vulnerabilities receive perfect CVSS scores of 10.0 because they allow unauthenticated remote attackers to execute arbitrary code with root privileges, representing complete system compromise. The combination of no authentication required, remote exploitation capability, and maximum impact (root access) results in the highest possible severity rating.

Which versions of Cisco ISE are affected by these vulnerabilities?

CVE-2025-20281 affects Cisco ISE and ISE-PIC releases 3.3 and later, while CVE-2025-20282 affects only Cisco ISE and ISE-PIC Release 3.4. Organizations running these versions should apply patches immediately.

Are there any workarounds for these vulnerabilities?

No, there are no workarounds that address these vulnerabilities. Organizations must apply the patches provided by Cisco to mitigate the security risks. This makes immediate patching the only viable option to protect affected systems.

What can attackers accomplish by exploiting these vulnerabilities?

Successful exploitation allows unauthenticated attackers to achieve complete system compromise by executing arbitrary code with root privileges on the underlying operating system. This could lead to data theft, system manipulation, network reconnaissance, lateral movement, and complete control over the ISE infrastructure.

Why is this considered an emergency advisory?

This is considered an emergency advisory because both vulnerabilities have perfect CVSS scores of 10.0, allow unauthenticated remote code execution as root, affect widely-deployed enterprise network security infrastructure, and have no available workarounds. The potential for complete system compromise of critical network access control systems makes this an urgent security emergency.

What should organizations do immediately about these Cisco ISE vulnerabilities?

Organizations should immediately identify all Cisco ISE and ISE-PIC installations in their environment, prioritize applying the appropriate patches (ISE 3.3 Patch 6 or ISE 3.4 Patch 2), implement additional network monitoring for ISE systems, restrict network access to ISE management interfaces where possible, and prepare incident response procedures in case of compromise. Given the perfect CVSS scores and lack of workarounds, this should be treated as a critical emergency requiring immediate action to prevent potential complete compromise of network access control infrastructure.

Advisory

Cisco reports perfect 10 critical remote code execution flaws in Identity Services Engine (ISE)

Q: Are patches available for these Cisco ISE vulnerabilities?

Yes, Cisco has released patches for all affected versions: ISE 3.3 Patch 6 for CVE-2025-20281 and ISE 3.4 Patch 2 for both vulnerabilities. The patches are distributed as specific patch files (ise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gz and ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz).

Q: Have these vulnerabilities been exploited in the wild?

Cisco's Product Security Incident Response Team (PSIRT) states that they are not currently aware of any public announcements or malicious exploitation of these vulnerabilities in the wild. However, given the critical nature and perfect CVSS scores, exploitation attempts are likely once details become public.

published: June 25, 2025

Take action: This one is very important. If you are using Cisco Identity Services Engine (ISE), drop everything and start planning a patch ASAP. ISE usually controls network access to a lot of the infrastructure, so you don't want it to be hacked. And hackers will quickly start abusing these flaws.

Learn More

Cisco has issued an emergency security advisory of two critical vulnerabilities in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) platforms that could allow unauthenticated attackers to achieve complete system compromise.

Vulnerabilities summary

CVE-2025-20281 (CVSS score 10): An API input validation vulnerability affecting Cisco ISE and ISE-PIC releases 3.3 and later. This flaw allows unauthenticated remote attackers to execute arbitrary code on the underlying operating system as root through insufficient validation of user-supplied input. Attackers can exploit this vulnerability by submitting crafted API requests.
CVE-2025-20282 (CVSS score 10): An internal API file upload vulnerability affecting only Cisco ISE and ISE-PIC Release 3.4. This vulnerability stems from a lack of file validation checks that would prevent uploaded files from being placed in privileged directories on affected systems. Attackers can exploit this flaw by uploading crafted files to affected devices, allowing them to store malicious files on the system and subsequently execute arbitrary code with root privileges.

Cisco has released patches for all affected versions - ISE 3.3 Patch 6 for CVE-2025-20281 and ISE 3.4 Patch 2 for both vulnerabilities. The patches are distributed as specific patch files (ise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gz and ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz) that target the underlying security flaws while maintaining system functionality.

Cisco's Product Security Incident Response Team (PSIRT) claims that they are not currently aware of any public announcements or malicious exploitation of these vulnerabilities in the wild.

Organizations are strongly advised to prioritize applying these patches. There are no workarounds that address these vulnerabilities.

Update - As of 28th of July 2028, security researcher Bobby Gould published a PoC exploit chain for CVE-2025-20281 and CVE-2025-20337.

Cisco reports perfect 10 critical remote code execution flaws in Identity Services Engine (ISE)

Read More
High-Severity stored XSS reported in MyCourts platform, can …
Fortinet Patches Critical FortiOS SSO Authentication Bypass Under …
XSS vulnerability in Zimbra collaboration suite under active …
CISA confirms exploitation of two BeyondTrust flaws, urges …
Authentication bypass vulnerability reported in HPE Performance Cluster …