Cisco Patches Critical ISE Vulnerability With Public PoC

Cisco this week announced fixes for a dozen vulnerabilities in its products, including a critical-severity flaw impacting the cloud deployments of Identity Services Engine (ISE) for which proof-of-concept (PoC) code exists.

The critical issue, tracked as CVE-2025-20286 (CVSS score of 9.9), exists because credentials are improperly generated when deploying ISE on Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI).

Because the improperly generated credentials are shared across multiple ISE deployments running the same release, an attacker could use them to access ISE instances in different cloud environments.

“A successful exploit could allow the attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems,” Cisco says.

The issue only impacts ISE instances in which the Primary Administration node is deployed in the cloud, the tech giant says.

Cisco warns in its advisory that there are no workarounds for this vulnerability and that PoC exploit code targeting the security defect exists.

The company has released hot fixes that apply to ISE releases 3.1 to 3.4, noting that ISE versions 3.0 and earlier are not affected.

Of the remaining vulnerabilities, two are high-severity flaws related to the SSH connectivity of Integrated Management Controller (IMC) and Nexus Dashboard Fabric Controller (NDFC).

The first, tracked as CVE-2025-20261 (CVSS score of 8.8), impacts the UCS B, C, S, and X series servers that accept incoming SSH connections to the IMC. Appliances based on pre-configured versions of UCS C-series servers are also affected

Insufficient restrictions on access to internal services allow a logged-in attacker to access those services with elevated privileges and make unauthorized modifications. The attacker could create new administrative accounts on the affected devices, Cisco says.

The second high-severity issue, tracked as CVE-2025-20163 (CVSS score of 8.7), is described as an insufficient SSH host key validation in the SSH implementation of NDFC that allows an attacker to intercept SSH traffic by performing a machine-in-the-middle attack, and capture user credentials.

All devices running NDFC – previously known as Data Center Network Manager (DCNM) – are affected by the security defect, regardless of their configuration, the tech giant warns.

Cisco also released fixes for nine medium-severity flaws in Unified Communications products, Unified Contact Center Express (Unified CCX), ThousandEyes Endpoint Agent for Windows, Identity Services Engine (ISE), ISE Passive Identity Connector (ISE-PIC), Unified Intelligent Contact Management Enterprise, and Customer Collaboration Platform (CCP).

Successful exploitation of these vulnerabilities could allow attackers to execute arbitrary commands as root, perform an XSS attack, execute arbitrary code, delete arbitrary files, upload files, or persuade users to disclose sensitive data.

The company warned that proof-of-concept (PoC) code was publicly available for two of the medium-severity issues (CVE-2025-20130, impacting ISE and ISE-PIC; and CVE-2025-20129, affecting CCP, formerly SocialMiner), but said it was not aware of any of the security defects being exploited in attacks.

Users are advised to update their Cisco appliances as soon as possible. Additional information on these vulnerabilities can be found on Cisco’s security advisories page.

Related: Technical Details Published for Critical Cisco IOS XE Vulnerability

Related: Splunk Patches Dozens of Vulnerabilities

Related: Zoom Patches 4 High-Severity Vulnerabilities

Related: Zyxel Issues ‘No Patch’ Warning for Exploited Zero-Days