Critical flaw in Cisco Identity Services Engine Cloud Deployment exposes multiple platforms
Take action: If you're running Cisco ISE in cloud environments (AWS, Azure, or OCI), time for an urgent but painful action. Either apply the hotfixes, upgrade to the latest patched versions or isolate the Cisco ISE to be onlyu accessible from trusted network and even do a factory reset. None of these actions are easy or less painful. So it's best to do the patching.
Learn More
Cisco is reporting three vulnerabilities, including one critical affecting cloud deployments of its Identity Services Engine (ISE). The company has released emergency security patches and warns that public proof-of-concept exploit code is already available.
Vulnerability summary
- CVE-2025-20286 (CVSS score 9.9) - Static credential vulnerability in Cisco ISE cloud deployments. It stems from improperly generated credentials during Cisco ISE deployment on cloud platforms, resulting in identical credentials being shared across multiple separate deployments. Attackers who extract user credentials from one Cisco ISE cloud deployment can potentially access other ISE installations deployed in different cloud environments using the same credentials.
- CVE-2025-20130 (CVSS score 4.9) - Arbitrary file upload vulnerability in Cisco ISE
- CVE-2025-20129 (CVSS score 4.3) - Information disclosure vulnerability in Cisco Customer Collaboration Platform (formerly SocialMiner)
Vulnerable versions
CVE-2025-20286 affects Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) cloud deployments and could allow an unauthenticated, remote attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems.
On AWS, affected versions include releases 3.1, 3.2, 3.3, and 3.4. Azure and Oracle Cloud Infrastructure deployments are vulnerable in releases 3.2, 3.3, and 3.4.
Cisco's Product Security Incident Response Team (PSIRT) has confirmed awareness of publicly available proof-of-concept exploit code for this vulnerability.
Not vulnerable versions
All on-premises deployments using any form factors with artifacts installed from the Cisco Software Download Center, including ISO or OVA installations on appliances and virtual machines, are not vulnerable. Additionally, ISE installations on Azure VMware Solution (AVS), Google Cloud VMware Engine, VMware cloud in AWS, and hybrid deployments with Primary and Secondary Administration personas maintained on-premises are protected from this specific attack vector.
Patched versions
Cisco has developed and released targeted hotfixes and permanent software updates to address these vulnerabilities. For releases 3.1 through 3.4, the company provides a unified hotfix file named ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz that addresses the static credential vulnerability across all affected versions.
Permanent fixes are scheduled for release 3.3P8 in November 2025 and release 3.4P3 in October 2025, while release 3.5 is planned for August 2025 and will include the fix from initial release.
For organizations unable to immediately apply the available patches, Cisco recommends running the application reset-config ise command on the Primary Administration persona node deployed in the cloud, which resets user passwords to new, unique values. However, administrators must understand that executing this command returns the entire Cisco ISE system to factory configuration, potentially disrupting existing configurations and requiring complete reconfiguration of the environment.
Additional defensive measures include implementing IP address restrictions using cloud security groups to limit source IP addresses of customer administrators, effectively blocking unauthorized access attempts before traffic reaches the Cisco ISE instance.
