Cisco Alerts on ISE RCE Vulnerability Actively Exploited
Cisco has issued an urgent security advisory warning that a set of critical remote code execution (RCE) vulnerabilities affecting its Identity Services Engine (ISE) and Passive Identity Connector (ISE-PIC) products are being actively exploited in the wild.
The flaws, tracked as CVE-2025-20281, CVE-2025-20282, and CVE-2025-20337, carry the highest possible severity rating, with a CVSS base score of 10.0, and allow unauthenticated attackers to gain root-level access to vulnerable systems.
Cisco confirmed that no viable workarounds exist and strongly urged customers to apply the provided security updates without delay.
The first pair of vulnerabilities, CVE-2025-20281 and CVE-2025-20337, reside in public APIs of Cisco ISE and ISE-PIC releases 3.3 and 3.4.
By submitting specially crafted API requests, attackers can bypass input validation checks and execute arbitrary commands on the underlying operating system with root privileges.
| CVE Identifier | Vulnerability Type | Affected Releases | Fixed Release | CVSS Score |
| CVE-2025-20281 | API unauthenticated remote code execution | ISE/ISE-PIC 3.3, 3.4 | 3.3 Patch 7, 3.4 Patch 2 | 10.0 |
| CVE-2025-20282 | File upload validation bypass resulting in RCE | ISE/ISE-PIC 3.4 | 3.4 Patch 2 | 10.0 |
| CVE-2025-20337 | API unauthenticated remote code execution (second) | ISE/ISE-PIC 3.3, 3.4 | 3.3 Patch 7, 3.4 Patch 2 | 10.0 |
Cisco assigned these flaws to bug tracking IDs CSCwo99449 and CSCwp02814 and noted that they affect all configurations of versions 3.3 and 3.4, but pose no risk to earlier releases.
The second flaw, CVE-2025-20282, impacts only Release 3.4 of ISE and ISE-PIC. In this case, the vulnerability stems from insufficient validation of uploaded files, permitting malicious objects to be stored in privileged directories and subsequently executed.
Cisco labeled this bug CSCwp02821 and again indicated that no credentials are required to exploit the issue, making the attack vector trivially accessible to remote adversaries.
Since first publishing the advisory on June 25, 2025, Cisco has iterated on its guidance. The current Version 2.1, released on July 21, 2025, confirmed that enhanced fixed releases are available.
Customers running ISE Release 3.4 Patch 2 no longer need to take action, whereas those on Release 3.3 Patch 6 must upgrade to Release 3.3 Patch 7.
Devices already patched with hotfix bundles ise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gz or ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz are similarly directed to move to the fixed patch releases, as the hotfixes do not address CVE-2025-20337.
Cisco cautions that these are genuine, critical threats and reassures that patched software releases fully mitigate the flaws.
Administrators are urged to prioritize vulnerability scanning and patch deployment to safeguard network access control infrastructure from potential compromise.
Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now
Source link
