Unidentified Flaw in Cisco Identity Services Engine Grants Attacker Root Access Remotely
Cisco has recently disclosed multiple critical security vulnerabilities in its Identity Services Engine (ISE) and ISE-PIC, affecting versions 3.3 and 3.4 of the software. The vulnerabilities, assigned CVE identifiers CVE-2025-20281, CVE-2025-20282, and CVE-2025-20337, all carry the maximum CVSS score of 10.0.
These vulnerabilities stem from insufficient input validation in specific APIs within Cisco ISE and ISE-PIC systems. Notably, they do not require any authentication, making them particularly dangerous as attackers need no valid credentials to exploit them.
CVE-2025-20281 and CVE-2025-20337 allow attackers to execute arbitrary code by submitting crafted API requests. CVE-2025-20282, on the other hand, enables attackers to upload arbitrary files to privileged directories and subsequently execute them with root privileges. Given that ISE serves as a critical network access control and policy enforcement platform in many enterprise environments, the potential for widespread impact is significant.
The network-accessible nature of these flaws, combined with their unauthenticated exploitation capability, creates an urgent security situation for affected organizations. Cisco has released software updates to address all three vulnerabilities, with no available workarounds.
For Cisco ISE/ISE-PIC Release 3.3, users are advised to upgrade to Patch 7. This patch addresses CVE-2025-20281 and CVE-2025-20337. Release 3.3 is not affected by CVE-2025-20282. For Cisco ISE/ISE-PIC Release 3.4, users should apply Patch 2, which addresses all three vulnerabilities.
Organizations using affected Cisco ISE systems should prioritize immediate patching due to the critical nature of these vulnerabilities and the potential for complete system compromise. It's worth noting that previously released hot patches for CVE-2025-20281 and CVE-2025-20282 have been deprecated as they failed to address CVE-2025-20337, and organizations using these hot patches must upgrade to the full patch releases.
These vulnerabilities were discovered through responsible disclosure by security researchers Bobby Gould of Trend Micro Zero Day Initiative and Kentaro Kawane of GMO Cybersecurity by Ierae. No incidents of these vulnerabilities being exploited in the wild have been reported as of the latest updates, but it is crucial to apply these patches to prevent potential attacks.
Cybersecurity researchers should keep a close eye on the incident response measures in the wake of the discovery of multiple critical security vulnerabilities in Cisco's Identity Services Engine (ISE) and ISE-PIC. Data-and-cloud-computing organizations using these affected systems must prioritize security research and immediately apply the recommended patches due to the potential for complete system compromise and the critical nature of these vulnerabilities.
