Cisco has disclosed two critical vulnerabilities in its Identity Services Engine (ISE) software that could allow authenticated, remote attackers to execute arbitrary commands, elevate privileges, and manipulate system configurations on affected devices.
These vulnerabilities tracked as CVE-2025-20124 and CVE-2025-20125, have been assigned high severity ratings with CVSS scores of 9.9 and 9.1, respectively. Cisco has released software updates to address these issues, but no workarounds are available.
CVE-2025-20124: Insecure Java Deserialization
This vulnerability stems from the insecure deserialization of user-supplied Java byte streams in an API of Cisco ISE. An attacker with valid read-only administrative credentials could exploit this flaw by sending a malicious serialized Java object to the API.
Successful exploitation would allow the attacker to execute arbitrary commands as the root user, potentially compromising the entire device.
CVE-2025-20125: Authorization Bypass
The second vulnerability is due to a lack of proper authorization checks in a specific API and insufficient validation of user-supplied data. An attacker could exploit this flaw by sending a crafted HTTP request to the vulnerable API.
This could enable the attacker to obtain sensitive information, modify system configurations, and restart the node.
Both vulnerabilities require attackers to possess valid read-only administrative credentials, emphasizing the importance of securing such accounts.
Affected Products
These vulnerabilities affect Cisco ISE and Cisco ISE Passive Identity Connector (ISE-PIC), regardless of device configuration. Specific vulnerable software releases include versions 3.0, 3.1, 3.2, and 3.3. However, version 3.4 is confirmed not to be vulnerable.
- 3.1: Fixed in version 3.1P10
- 3.2: Fixed in version 3.2P7
- 3.3: Fixed in version 3.3P4
Cisco advises customers to migrate to these fixed releases or later versions to mitigate risks.
Cisco has released free software updates addressing these vulnerabilities and recommends that all affected users upgrade their systems immediately. There are no workarounds for these vulnerabilities, making timely updates critical for mitigating potential exploitation risks.
As of now, Cisco’s Product Security Incident Response Team (PSIRT) reports no evidence of public exploitation or malicious use of these vulnerabilities.
Cisco credits Dan Marin and Sebastian Radulea of Deloitte for reporting CVE-2025-20124 and Sebastian Radulea for identifying CVE-2025-20125.
The discovery of these critical vulnerabilities underscores the importance of maintaining up-to-date software and securing administrative credentials in enterprise environments.
Organizations using Cisco ISE should act promptly to apply the recommended updates and safeguard their infrastructure against potential attacks.
PCI DSS 4.0 & Supply Chain Attack Prevention – Free Webinar