Critical Cisco ISE Vulnerability Allows Remote Attacker to Execute Commands as Root User
Cisco has disclosed multiple critical security vulnerabilities in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that could allow unauthenticated remote attackers to execute arbitrary commands with root privileges on affected systems.
The vulnerabilities, assigned CVE identifiers CVE-2025-20281, CVE-2025-20282, and CVE-2025-20337, all carry the maximum CVSS score of 10.0, indicating the most severe level of risk.
Vulnerability Summary
| CVE ID | Affected Versions | Patched Versions | Description |
|---|---|---|---|
| CVE-2025-20281 | ISE/ISE-PIC 3.3, 3.4 | 3.3 Patch 7, 3.4 Patch 2 | API unauthenticated remote code execution via insufficient input validation |
| CVE-2025-20282 | ISE/ISE-PIC 3.4 only | 3.4 Patch 2 | File upload vulnerability allowing arbitrary file execution with root privileges |
| CVE-2025-20337 | ISE/ISE-PIC 3.3, 3.4 | 3.3 Patch 7, 3.4 Patch 2 | API unauthenticated remote code execution via insufficient input validation |
The three vulnerabilities stem from insufficient input validation in specific APIs within Cisco ISE and ISE-PIC systems. CVE-2025-20281 and CVE-2025-20337 affect both release versions 3.3 and 3.4, while CVE-2025-20282 impacts only version 3.4.
Crucially, these flaws do not require any authentication, making them particularly dangerous as attackers need no valid credentials to exploit them.
The first two vulnerabilities allow attackers to execute arbitrary code by submitting crafted API requests due to insufficient validation of user-supplied input.
CVE-2025-20282 presents a different attack vector, enabling attackers to upload arbitrary files to privileged directories and subsequently execute them with root privileges.
This vulnerability exploits a lack of file validation checks that would normally prevent malicious file placement in critical system directories.
Affected Systems and Scope
The vulnerabilities exclusively affect Cisco ISE and ISE-PIC releases 3.3 and 3.4, regardless of device configuration. Organizations running version 3.2 or earlier are not vulnerable to these specific security flaws.
Given that ISE serves as a critical network access control and policy enforcement platform in many enterprise environments, the potential for widespread impact is significant.
The independent nature of these vulnerabilities means that exploitation of one does not require exploitation of another, potentially providing multiple attack vectors for malicious actors.
The network-accessible nature of these flaws, combined with their unauthenticated exploitation capability, creates an urgent security situation for affected organizations.
Cisco has released software updates to address all three vulnerabilities, with no available workarounds. The company strongly recommends upgrading to Release 3.3 Patch 7 for version 3.3 users or Release 3.4 Patch 2 for version 3.4 users.
Organizations currently running Release 3.4 Patch 2 require no further action, while those on Release 3.3 Patch 6 must upgrade to Patch 7.
Notably, Cisco has deprecated previously released hot patches (ise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gz and ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz) as they failed to address CVE-2025-20337. Organizations using these hot patches must upgrade to the full patch releases.
The vulnerabilities were discovered through responsible disclosure by security researchers Bobby Gould of Trend Micro Zero Day Initiative and Kentaro Kawane of GMO Cybersecurity by Ierae.
Cisco’s Product Security Incident Response Team reports no evidence of public exploitation or malicious use of these vulnerabilities at the time of disclosure.
Organizations using affected Cisco ISE systems should prioritize immediate patching due to the critical nature of these vulnerabilities and the potential for complete system compromise.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
Source link
