CISA Warns of Cisco Identity Services Engine Vulnerability Exploited in Attacks

CISA has issued an urgent warning regarding two critical injection vulnerabilities in Cisco’s Identity Services Engine (ISE) that threat actors are actively exploiting. 

The vulnerabilities, tracked as CVE-2025-20281 and CVE-2025-20337, allow attackers to achieve remote code execution with root privileges on affected systems. 

Key Takeaways
1. CISA added two Cisco ISE vulnerabilities (CVE-2025-20281, CVE-2025-20337) to its Known Exploited Vulnerabilities catalog.
2. Attackers can gain root access and execute remote code on Cisco ISE systems.
3. Organizations must patch or discontinue vulnerable products before the deadline.

Organizations using Cisco ISE and ISE-PIC products have until August 18, 2025, to implement necessary mitigations as mandated by CISA’s Known Exploited Vulnerabilities catalog.

Critical Injection Vulnerabilities 

Both CVE-2025-20281 and CVE-2025-20337 represent injection vulnerabilities affecting specific Application Programming Interfaces (APIs) within Cisco ISE and Cisco ISE-PIC (Personal Identity Certificate) systems. 

These vulnerabilities stem from insufficient validation of user-supplied input, a fundamental security flaw classified under Common Weakness Enumeration CWE-74, which addresses improper neutralization of special elements in output used by downstream components.

The vulnerabilities allow malicious actors to exploit the system by submitting carefully crafted API requests that bypass normal security controls. 

This type of injection attack represents a significant threat to network security infrastructure, as Cisco ISE serves as a centralized policy engine that controls network access for organizations worldwide. 

The affected systems are commonly deployed in enterprise environments to manage user authentication, authorization, and accounting (AAA) services across network resources.

Successful exploitation of these vulnerabilities enables attackers to achieve remote code execution (RCE) capabilities on affected devices, potentially gaining complete administrative control through root privilege escalation. 

This level of access allows threat actors to manipulate network policies, extract sensitive authentication data, and establish persistent backdoors within compromised systems.

These vulnerabilities are very serious because they allow someone without a password to access critical network infrastructure components from a distance.

Attackers can leverage these flaws to bypass network segmentation controls, access restricted network segments, and potentially deploy ransomware or establish command-and-control channels within compromised environments.

Mitigations

CISA’s inclusion of these vulnerabilities in the KEV catalog triggers mandatory compliance requirements under Binding Operational Directive (BOD) 22-01 for federal agencies and cloud service providers. 

Organizations must apply vendor-supplied mitigations, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of vulnerable products if patches are unavailable.

Cisco has published a security advisory providing detailed remediation guidance. While it remains unknown whether these vulnerabilities are being used in ransomware campaigns, the active exploitation status necessitates immediate attention from security teams managing Cisco ISE deployments. 

Organizations should prioritize patching efforts and implement network monitoring to detect potential exploitation attempts targeting these critical authentication infrastructure components.

Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis-> Try ANY.RUN now