Cisco Warns ISE Vulnerability Allows Remote to Access Sensitive Data

A critical vulnerability affecting its Identity Services Engine (ISE) when deployed on major cloud platforms, warning that proof-of-concept exploit code is now publicly available. 

The flaw, tracked as CVE-2025-20286 with a CVSS score of 9.9, enables unauthenticated remote attackers to access sensitive data and execute administrative operations across multiple cloud deployments due to improperly generated static credentials.

The vulnerability stems from a fundamental security flaw in how Cisco ISE generates credentials during cloud platform deployments on Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI).

Cisco ISE Credential Vulnerability

According to Cisco’s advisory, the issue exists because “credentials are improperly generated when Cisco ISE is being deployed on cloud platforms, resulting in different Cisco ISE deployments sharing the same credentials”.

The shared credential problem is platform and version-specific, meaning all instances of the same ISE release on the same cloud platform use identical authentication credentials. 

For example, every deployment of Release 3.1 on AWS shares the same static credentials, while those same credentials would not work on Azure deployments or different software versions. 

This design flaw allows attackers who extract credentials from one ISE deployment to potentially access other ISE instances running the same software version on the same cloud platform through unsecured ports.

The vulnerability was discovered and reported by Kentaro Kawane of GMO Cybersecurity by Ierae.

Affected Systems 

The vulnerability affects Cisco ISE releases 3.1 through 3.4, with specific platform coverage varying by cloud provider. 

AWS deployments are vulnerable across versions 3.1, 3.2, 3.3, and 3.4, while Azure and OCI platforms are affected from versions 3.2 through 3.4. 

Critically, the vulnerability only impacts deployments where the Primary Administration node resides in the cloud; on-premises Primary Administration nodes remain unaffected.

Cisco has confirmed that traditional on-premises deployments using ISO or OVA installations from the Cisco Software Download Center are not vulnerable, including appliances and virtual machines. 

Additionally, hybrid deployments with all ISE Administrator personas located on-premises and specialized cloud configurations like Azure VMware Solution (AVS) and Google Cloud VMware Engine remain secure.

The Cisco Product Security Incident Response Team (PSIRT) has acknowledged that “proof-of-concept exploit code is available for the vulnerability,” though they report no awareness of malicious exploitation in the wild. 

Patches Released

Cisco has released a comprehensive hot fix identified as “ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz” that addresses the vulnerability across all affected versions 3.1 through 3.4. 

For long-term solutions, the company plans permanent fixes with Release 3.3P8 scheduled for November 2025, Release 3.4P3 for October 2025, and the new 3.5 release planned for August 2025.

Organizations can implement immediate mitigations by configuring Cloud Security Groups to restrict source IP addresses to authorized administrators and using Cisco ISE’s built-in IP allowlisting features. 

For new installations, Cisco recommends running the “application reset-config ise” command on Primary Administration nodes to generate fresh credentials, though this command resets ISE to factory configuration and requires careful consideration.

Speed up and enrich threat investigations with Threat Intelligence Lookup! -> 50 trial search requests