Unauthenticated Access Granted: Researchers Claim Root Privileges Were Granted Through Cisco ISE Vulnerability Before Patch Deployment
Critical Vulnerabilities Affecting Cisco Identity Services Engine: Active Exploitation Confirmed
A series of critical vulnerabilities have been discovered in Cisco's Identity Services Engine (ISE) and the Passive Identity Connector (ISE-PIC). These vulnerabilities, including CVE-2025-20281, CVE-2025-20337, and CVE-2025-20282, allow unauthenticated remote attackers to execute arbitrary commands with root privileges.
Timeline of Exploitation
- On June 15, 2025, Cisco initially disclosed the vulnerability CVE-2025-20281 along with CVE-2025-20282.
- In July 2025, Cisco confirmed active exploitation of these vulnerabilities in the wild, with attempts detected as early as early July or mid-July.
- On July 16–22, 2025, Cisco updated advisories to include CVE-2025-20337 and confirmed ongoing active exploits targeting these flaws.
Extent and Affected Products
The vulnerabilities affect Cisco ISE and ISE-PIC, specifically versions 3.3 and 3.4. These products are critical components in network security, managing authentication, authorization, and policy enforcement, influencing network access control across corporate enterprise environments.
Potential Impacts
The potential impacts of these vulnerabilities are significant. An attacker executing arbitrary root commands can control the entire underlying OS, effectively bypassing authentication and logging controls. Attackers could also grant themselves or others unrestricted network access, disable monitoring or logging, making detection and remediation difficult, and maintain stealthy persistence.
Additional Notes
Initial patches released by Cisco were incomplete, prompting further updates to address additional vulnerabilities. Attackers exploit these flaws via crafted API requests without needing valid credentials. Cisco has not publicly identified the threat actors or detailed the scale of exploitation.
Summary
Organisations using Cisco ISE versions 3.3 or 3.4 should urgently apply the latest security patches and monitor for suspicious activity related to these vulnerabilities. Cisco has warned that there are no workarounds for the vulnerabilities, and patching is the only option for those running a vulnerable setup. The Shadowserver Foundation has observed signs of exploitation of CVE-2025-20281 around July 5th, and further attempts since then.
| Aspect | Details | |--------------------------|-----------------------------------------------------| | Vulnerabilities | CVE-2025-20281, CVE-2025-20337, CVE-2025-20282 | | Affected Cisco Products | Cisco ISE and ISE-PIC versions 3.3 and 3.4 | | Disclosure Date | June 15, 2025 | | Active Exploitation | Confirmed since July 2025 | | Attack Vector | Unauthenticated remote API exploitation | | Impact | Remote code execution as root; full system compromise| | Ease of Exploitation | Proof-of-concept publicly available | | Patch Status | Initial patch incomplete; further updates released | | Potential Consequences | Network access bypass, logging evasion, system control|
- To mitigate the risks posed by critical vulnerabilities found in Cisco's Identity Services Engine (ISE) and Passive Identity Connector (ISE-PIC), it's crucial for organizations using versions 3.3 or 3.4 to immediately apply the latest security patches.
- The escalating threat of these vulnerabilities, including CVE-2025-20281, CVE-2025-20337, and CVE-2025-20282, demands proactive networking and cybersecurity measures to safeguard data-and-cloud-computing systems from unauthenticated remote attacks.
- In the IoT realm, software bugs that allow arbitrary root command execution can have severe consequences, as they could potentially enable an attacker to control the entire underlying OS and bypass authentication and logging controls.
- As AI-driven systems continue to be integrated into modern technology infrastructure, it's vital to prioritize AI-assisted threat detection, patch management, and network monitoring to swiftly identify and address vulnerabilities like those found in Cisco's ISE.
- Though initial patches fell short in addressing all vulnerabilities, software updates can be applied to reinforce software security and protect networks from ongoing exploitation attempts.
