Cisco Systems has issued a critical security advisory warning of a significant vulnerability in its Identity Services Engine (ISE) platform when deployed on major cloud platforms including Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI).
The Vulnerability enables unauthenticated remote attackers to access sensitive data, execute administrative operations, and potentially disrupt services across multiple cloud deployments due to improperly generated shared credentials.
The vulnerability stems from a fundamental security oversight in how Cisco ISE generates credentials during cloud deployment processes.
According to Cisco’s advisory, the issue exists because credentials are improperly generated when ISE is deployed on cloud platforms, resulting in different ISE deployments sharing identical authentication credentials across multiple installations.
This means that all instances of the same software release on the same cloud platform utilize the same static credentials, creating a widespread security exposure.
The technical implications are severe, as attackers can extract user credentials from one Cisco ISE cloud deployment and subsequently use those same credentials to access other ISE installations deployed in different cloud environments through unsecured ports.
This cross-deployment credential sharing significantly amplifies the attack surface, as compromising a single instance potentially grants access to numerous other deployments running the same software version on the same cloud platform.
ISE Vulnerability
The vulnerability affects Cisco ISE versions 3.1 through 3.4 across different cloud platforms, with varying degrees of exposure.
On AWS, all versions from 3.1 to 3.4 are vulnerable, while Azure and OCI deployments are affected in versions 3.2 through 3.41.
Crucially, the vulnerability only impacts deployments where the Primary Administration node is hosted in the cloud – installations with on-premises Primary Administration nodes remain unaffected.
The company has also clarified that traditional on-premises deployments, hybrid configurations with on-premises administration nodes, and specialized cloud deployments like Azure VMware Solution remain secure from this particular vulnerability.
Adding urgency to the situation, Cisco’s Product Security Incident Response Team has confirmed that proof-of-concept exploit code is now publicly available for this vulnerability, though no malicious exploitation has been detected yet.
Proof-of-Concept Exploit
Cisco has confirmed that the credentials are platform and version-specific, meaning that while all AWS Release 3.1 instances share the same static credentials, these credentials differ from those used in Release 3.2 deployments or across different cloud platforms.
The company has responded by releasing comprehensive fixes, including a universal hotfix “ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz” that addresses the vulnerability across all affected versions 3.1 through 3.4.
For permanent resolution, Cisco recommends upgrading to fixed releases, with version 3.3P8 expected in November 2025 and 3.4P3 scheduled for October 2025.
The upcoming version 3.5, planned for August 2025, will incorporate the security fixes from the initial release.
As interim mitigations, administrators can implement IP address restrictions through cloud security groups and reset configurations using the “application reset-config ise” command, though this latter option requires complete system reconfiguration.
The vulnerability was responsibly disclosed by security researcher Kentaro Kawane of GMO Cybersecurity by Ierae.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Update
 platform when deployed on major cloud platforms.){kind=link}