Cisco Warns of Identity Services Engine RCE Vulnerability Exploited in the Wild

Cisco Systems has issued a critical security advisory warning of multiple remote code execution vulnerabilities in its Identity Services Engine (ISE) that are being actively exploited by attackers in the wild.

The vulnerabilities, carrying the maximum CVSS severity score of 10.0, allow unauthenticated remote attackers to execute arbitrary commands with root privileges on affected systems.

The networking giant disclosed three separate vulnerabilities tracked as CVE-2025-20281, CVE-2025-20282, and CVE-2025-20337, all of which affect Cisco ISE and ISE Passive Identity Connector (ISE-PIC) deployments.

The company’s Product Security Incident Response Team (PSIRT) confirmed in July 2025 that some of these vulnerabilities are being exploited in active attacks, prompting urgent calls for organizations to apply patches immediately.

Cisco ISE RCE Vulnerability Exploited in Wild

The most severe vulnerabilities, CVE-2025-20281 and CVE-2025-20337, stem from insufficient validation of user-supplied input in specific APIs within ISE versions 3.3 and 3.4.

These flaws allow attackers to submit crafted API requests without any authentication, potentially gaining root access to targeted systems. The third vulnerability, CVE-2025-20282, affects only ISE version 3.4 and involves an internal API that lacks proper file validation checks.

“An attacker could exploit these vulnerabilities by submitting a crafted API request,” Cisco explained in its advisory. “A successful exploit could allow the attacker to obtain root privileges on an affected device.”

The CVE-2025-20282 flaw enables attackers to upload arbitrary files to privileged directories and subsequently execute them with root permissions.

All three vulnerabilities are classified under Common Weakness Enumeration categories CWE-269 (Improper Privilege Management) and CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), highlighting fundamental security design issues.

Cisco emphasized that no workarounds exist for these vulnerabilities, making immediate patching the only viable defense strategy. The company has released enhanced fixed releases following initial patches that were found to be incomplete.

Organizations running ISE Release 3.4 Patch 2 require no further action, as this version contains all necessary fixes. However, systems running ISE Release 3.3 Patch 6 must upgrade to Release 3.3 Patch 7 for complete protection.

Cisco specifically warned that earlier hot patches (ise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gz and ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz) failed to address CVE-2025-20337 and have been withdrawn from distribution.

Active Exploitation

The confirmation of in-the-wild exploitation significantly elevates the urgency of this security issue.

Cisco ISE serves as a critical network access control and policy enforcement platform used by organizations worldwide to manage device authentication and authorization. A successful compromise could provide attackers with extensive network visibility and control capabilities.

Security researchers Bobby Gould of Trend Micro Zero Day Initiative and Kentaro Kawane of GMO Cybersecurity by Ierae were credited with discovering and reporting these vulnerabilities through responsible disclosure processes.

Cisco continues to monitor for exploitation attempts and strongly urges all affected customers to prioritize these updates.

Organizations should verify their ISE versions immediately and plan emergency maintenance windows to apply the necessary patches, given the critical nature of these vulnerabilities and confirmed exploitation activity.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now