CISA Issues Alert on Cisco Identity Services Engine Flaw Exploited in Active Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical security alert regarding severe vulnerabilities in Cisco’s Identity Services Engine (ISE) that are being actively exploited by threat actors.

The agency added two critical injection vulnerabilities to its Known Exploited Vulnerabilities Catalog on July 28, 2025, signaling immediate risks to organizations using the affected systems.

Critical Vulnerabilities Identified

CISA has flagged two distinct but related vulnerabilities affecting Cisco Identity Services Engine: CVE-2025-20281 and CVE-2025-20337. 

Both vulnerabilities stem from injection flaws in specific APIs of Cisco ISE and Cisco ISE-PIC platforms, caused by insufficient validation of user-supplied input. 

The vulnerabilities are classified under CWE-74, indicating they involve improper neutralization of special elements used in commands.

The security flaws allow attackers to exploit the system by submitting specially crafted API requests. 

Successful exploitation grants attackers the ability to perform remote code execution and obtain root privileges on affected devices, representing one of the most severe types of security compromises possible.

The inclusion of these vulnerabilities in CISA’s Known Exploited Vulnerabilities Catalog indicates that threat actors are actively targeting Cisco ISE deployments in real-world attacks.

This designation triggers mandatory response requirements for federal agencies and strongly recommends immediate action for private sector organizations.

CISA has established August 18, 2025, as the remediation deadline, giving organizations just three weeks to address these critical security gaps. 

The agency’s directive requires organizations to apply mitigations per vendor instructions, follow applicable Binding Operational Directive (BOD) 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Cisco Identity Services Engine serves as a critical network access control platform used by organizations worldwide to manage device authentication and authorization.

The discovery of actively exploited vulnerabilities in this infrastructure component poses significant risks to enterprise networks, potentially allowing attackers to gain comprehensive network access and establish persistent footholds within targeted environments.

Currently, it remains unknown whether these vulnerabilities are being leveraged in ransomware campaigns, though the combination of remote code execution capabilities and root-level access makes them attractive targets for various threat actors, including ransomware operators.

Organizations using Cisco ISE are urged to immediately review their deployments, apply available security patches, and implement additional monitoring measures.

The tight remediation timeline underscores the severity of the threat and the critical nature of prompt response to prevent potential compromise of network infrastructure and sensitive data.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now