Cisco has issued a critical security advisory warning of multiple unauthenticated remote code execution vulnerabilities in its Identity Services Engine (ISE) and ISE Passive Identity Connector products that are already being exploited by attackers in the wild.
The vulnerabilities carry the maximum CVSS score of 10.0, indicating the most severe security risk possible.
Three distinct vulnerabilities tracked as CVE-2025-20281, CVE-2025-20282, and CVE-2025-20337 affect Cisco ISE and ISE-PIC installations running versions 3.3 and 3.4.
These vulnerabilities enable unauthenticated remote attackers to execute arbitrary commands on the underlying operating system with root privileges, representing a complete system compromise.
The vulnerabilities stem from insufficient validation of user-supplied input in specific APIs within the ISE platform. Key details include:
- CVE-2025-20281 and CVE-2025-20337: Affect both ISE versions 3.3 and 3.4, allowing attackers to exploit API vulnerabilities through crafted requests.
- CVE-2025-20282: Impacts only version 3.4, enabling arbitrary file uploads to privileged directories.
- Attack vector: No authentication required – attackers can exploit these vulnerabilities by submitting crafted API requests without valid credentials.
- Root cause: Inadequate file validation checks that fail to prevent uploaded files from being placed in privileged system directories.
CVE-2025-20282 presents a particularly concerning attack vector, allowing attackers to upload arbitrary files to affected devices and execute them with root privileges.
This vulnerability exists due to inadequate file validation checks that fail to prevent uploaded files from being placed in privileged directories on the system.
Cisco ISE Vulnerability
In July 2025, Cisco’s Product Security Incident Response Team detected attempted exploitation of these vulnerabilities in active network environments.
This discovery transforms the advisory from a theoretical security concern to an immediate operational threat, prompting Cisco to strongly emphasize the urgency of applying available fixes.
The exploitation attempts highlight the critical nature of these vulnerabilities for organizations relying on Cisco ISE for network access control and identity management.
Given that ISE typically operates as a central authentication and authorization service in enterprise networks, successful exploitation could provide attackers with extensive access to network resources and sensitive data.
The vulnerabilities were responsibly disclosed by security researchers Bobby Gould from Trend Micro Zero Day Initiative and Kentaro Kawane from GMO Cybersecurity by Ierae.
However, the timeline between disclosure and active exploitation underscores the rapid weaponization of critical infrastructure vulnerabilities.
Immediate Patching Required
Cisco has released software updates addressing all three vulnerabilities, but notably, no workarounds exist to mitigate the risk. Organizations must upgrade to fixed software releases to eliminate the security exposure.
For ISE version 3.3 deployments, administrators should upgrade to Release 3.3 Patch 7. Version 3.4 users need to install Release 3.4 Patch 2. Cisco has withdrawn earlier hot patches that provided incomplete protection, as they failed to address CVE-2025-20337.
The company emphasizes that customers running ISE Release 3.2 or earlier versions are not affected by these specific vulnerabilities.
However, given the critical nature of the vulnerabilities and confirmed exploitation activity, Cisco recommends immediate deployment of patches across all vulnerable systems.
Organizations should prioritize these updates as part of emergency maintenance windows, given the maximum severity rating and confirmed threat actor interest in exploiting these vulnerabilities.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.){kind=link}