Cisco network access security platform vulnerabilities under active exploitation

A pair of maximum-severity vulnerabilities affecting Cisco’s network access security platform are under active exploitation, the enterprise networking and IT vendor warned in a security advisory Monday.

The software defects in Cisco Identity Services Engine and Cisco ISE Passive Identity Connector — CVE-2025-20281 and CVE-2025-20337 — were disclosed and addressed by Cisco on June 25, followed by the disclosure of a third critical vulnerability in the same software, CVE-2025-20282, on July 16. Cisco said it became aware of reported attempted exploitation of CVE-2025-20281 and CVE-2025-20337 on July 21.

“Based on these reports, we have updated our security advisory to reflect the attempted exploitation,” a Cisco spokesperson said in a statement. “At this time, we are not aware of any attempted exploitation or malicious use of CVE-2025-20282, and we continue to strongly recommend that customers upgrade to fixed software releases that remediate these vulnerabilities.”

All three of the vulnerabilities have a CVSS rating of 10 and there are no workarounds for the software defects. Cisco warned that all three vulnerabilities can be exploited by an unauthenticated, remote attacker, allowing arbitrary code execution on the underlying system as root.

Cisco did not say how many customers are currently impacted.

Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, said researchers detected active exploitation of CVE-2025-20281 on July 17. “Since CVE-2025-20281 and CVE-2025-20337 are very similar, we believe both are under active attack. Proof of concept exploit code was first made public on June 27,” Childs said.

“Right now, those attacks appear to be limited and targeted. Cisco ISE is used by thousands of enterprises, so the potential impact is large,” he added.

The origins and motivations of the threat group or attacker behind the exploits remains unknown, but the potential interest is broad.

“Threat actors would be interested in these vulnerabilities because a Cisco ISE has a high degree of network visibility through logging, which gives threat actors insight for further attacks in the network,” Childs said. “An ISE also is a repository for potentially all of the users in an organization.”