Cisco has issued a critical security advisory (Advisory ID: cisco-sa-ise-aws-static-cred-FPMjUcm7) for its Identity Services Engine (ISE) when deployed on major cloud platforms—Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI).
The vulnerability, tracked as CVE-2025-20286 and classified under CWE-259 (Use of Hard-coded Password), carries a CVSS v3.1 base score of 9.9, indicating a severe risk.
The flaw arises from the improper generation of credentials during ISE deployment on these cloud platforms.
As a result, all ISE instances of the same software release and platform share identical static credentials.
This means that an attacker who extracts credentials from one ISE cloud deployment could potentially access other ISE instances deployed in similar environments, leading to unauthorized access, data exposure, configuration changes, and service disruptions.
Key Technical Details:
- Vulnerability ID: CVE-2025-20286
- CVSS Score: 9.9 (Critical)
- Attack Vector: Network (AV:N)
- Attack Complexity: Low (AC:L)
- Privileges Required: None (PR:N)
- User Interaction: None (UI:N)
- Scope: Changed (S:C)
- Potential Impact: Confidentiality, Integrity, and Availability loss
Affected Versions and Platforms
The vulnerability affects the following Cisco ISE releases when deployed in the cloud:
| Platform | Vulnerable Releases |
|---|---|
| AWS | 3.1, 3.2, 3.3, 3.4 |
| Azure | 3.2, 3.3, 3.4 |
| OCI | 3.2, 3.3, 3.4 |
Important Note:
Only cloud deployments with the Primary Administration node in the cloud are affected.
On-premises deployments and hybrid setups with all administrative personas on-premises are not impacted.
There are no workarounds for this vulnerability.
Cisco recommends immediate action:
- Software Updates: Cisco has released hot fixes and new software versions to address the issue.
- Customers are urged to migrate to the fixed releases as detailed below.
| Cisco ISE Release | Hot Fix File Name | First Fixed Release |
|---|---|---|
| 3.1 – 3.4 | ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz | 3.3P8 (Nov 2025), 3.4P3 (Oct 2025) |
| 3.5 | Not applicable | Planned (Aug 2025) |
- Mitigations:
- Restrict access to ISE instances using Cloud Security Groups and source IP filtering.
- For new installations, run the following command to reset user passwords:bash
application reset-config iseWarning: This command resets ISE to factory configuration. Restoring from backup will revert to the original credentials.
- Exploit Status:
Proof-of-concept exploit code exists, but there are no reports of malicious exploitation in the wild as of this advisory’s publication1.
Implications and Recommendations
This vulnerability highlights the risks of static credential reuse in cloud environments.
Organizations using Cisco ISE in AWS, Azure, or OCI should:
- Immediately apply the recommended patches or migrate to a fixed release.
- Review cloud access controls and restrict administrative access via security groups and source IP allowlists.
- Avoid restoring backups with vulnerable credentials after applying mitigations.
- Monitor Cisco’s Security Advisories for updates and further guidance.
Prompt action is essential to maintain the security and integrity of network authentication and access control infrastructures in cloud deployments.
To Upgrade Your Cybersecurity Skills, Take Diamond Membership With 150+ Practical Cybersecurity Courses Online – Enroll Here
Source link
