Cisco CVE-2025-20337 & ISE-PIC Vulnerabilities Uncovered

Cisco has issued a new security advisory warning of newly discovered vulnerabilities in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC), revealing serious security flaws that could allow remote, unauthenticated attackers to execute arbitrary code on targeted systems with root privileges.  The most severe of these vulnerabilities, tracked as CVE-2025-20337, carries the maximum CVSS score of 10.0.

This vulnerability is strikingly similar to another critical issue, CVE-2025-20281, which Cisco patched just weeks earlier. 

“Multiple vulnerabilities in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit these vulnerabilities,” Cisco stated in its revised security advisory, published initially on June 25, 2025, and updated on July 16, 2025.

Cisco Vulnerability CVE-2025-20337 

These vulnerabilities affect Cisco ISE and ISE-PIC versions 3.3 and 3.4 regardless of their configuration. Devices running Release 3.2 or earlier are not affected by CVE-2025-20337 or CVE-2025-20281. Meanwhile, a related vulnerability, CVE-2025-20282, impacts only Release 3.4. 

According to Cisco, no authentication is required to exploit these vulnerabilities. Threat actors could remotely submit crafted API requests or upload malicious files, thereby gaining full control over the operating system. This opens the door to activities like data exfiltration, lateral movement, or further compromise of network infrastructure. 

Vulnerabilities Technical Details 

The vulnerabilities CVE-2025-20337 and CVE-2025-20281 stem from insufficient validation of user-supplied input in a specific API used by Cisco ISE and ISE-PIC, allowing unauthenticated attackers to send crafted API requests that could result in arbitrary code execution with root privileges. These critical flaws, identified by Bug IDs CSCwo99449 and CSCwp02814, are categorized under CWE-269 (Improper Privilege Management) and CWE-74 (Improper Neutralization of Input), and carry a CVSS v3.1 base score of 10.0 with a vector of AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, highlighting their severe potential impact on affected systems. 

The vulnerability CVE-2025-20282 arises from inadequate file validation checks within an internal API of Cisco ISE and ISE-PIC, enabling remote attackers to upload arbitrary files to privileged directories and execute them with elevated privileges. Identified by Bug ID CSCwp02821, this flaw is rated critical with a CVSS v3.1 base score of 10.0 and a vector of AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. 

Patching and Recommendations 

Cisco has released software updates to mitigate these vulnerabilities. However, the company emphasized that no workarounds currently exist for these issues. Organizations are strongly advised to upgrade to the recommended fixed releases: 

• If running Cisco ISE 3.4 Patch 2, no further action is needed. 
• For Cisco ISE 3.3 Patch 6, it is essential to upgrade to Patch 7. 
• Users who have applied hot patches such as ise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gz or ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz should also upgrade, as these patches do not mitigate CVE-2025-20337. 

The advisory notes that these vulnerabilities are independent of one another, meaning each one could be exploited separately. An affected release may not necessarily be vulnerable to all three CVEs. 

Related