Cisco Security Advisory: Critical Vulnerabilities Uncovered in ISE
Cisco recently released a security advisory highlighting significant vulnerabilities in its Identity Services Engine (ISE) and the ISE Passive Identity Connector (ISE-PIC). These vulnerabilities pose a serious risk, as they could enable remote, unauthenticated attackers to execute arbitrary code with root privileges on affected systems.
Severe Vulnerability Details
The most alarming of these vulnerabilities, identified as CVE-2025-20337, has received the highest possible CVSS score of 10.0. This flaw bears a striking resemblance to another serious issue, CVE-2025-20281, which was patched by Cisco just weeks prior. According to Cisco, these vulnerabilities exploit weaknesses in a specific API used by both ISE and ISE-PIC, granting unauthorized attackers the ability to execute arbitrary code without needing valid credentials.
Affected Versions
Cisco has confirmed that the vulnerabilities impact ISE and ISE-PIC versions 3.3 and 3.4. Devices operating on release 3.2 or earlier are not at risk from CVE-2025-20337 or CVE-2025-20281. Additionally, there is a related vulnerability, CVE-2025-20282, which specifically affects version 3.4.
Vulnerability Insights
The issues stemming from CVE-2025-20337 and CVE-2025-20281 arise due to insufficient validation of user-supplied input within the impacted API. Attackers can craft specific API requests, allowing them remote access to execute arbitrary code as root. This situation enables a range of dangerous activities, including data theft and further compromises within the network infrastructure.
Technical Breakdown
The vulnerabilities are categorized as follows:
- CWE-269: Improper Privilege Management
- CWE-74: Improper Neutralization of Input
These categories highlight the critical nature of these flaws, as they underline the lack of proper safeguards against unauthorized access.
CVE-2025-20282 results from inadequate file validation checks in an internal API of Cisco ISE and ISE-PIC. This allows remote attackers to upload unauthorized files into privileged directories and execute them, also with elevated privileges. It, too, has a CVSS score of 10.0, indicating a substantial risk.
Recommended Actions and Patching
In light of these discoveries, Cisco has rolled out software updates to address the highlighted vulnerabilities. Organizations dependent on vulnerable releases are urged to upgrade as soon as possible, noting that no temporary solutions are available for these issues.
Upgrade Guidelines
Here’s how users should proceed based on their current software version:
- If running Cisco ISE 3.4 Patch 2, no further actions are required.
- For those on Cisco ISE 3.3 Patch 6, upgrading to Patch 7 is essential.
- Users who applied hot patches, such as
ise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gzorise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz, should also upgrade, as these patches do not mitigate CVE-2025-20337.
Cisco emphasizes that each of these vulnerabilities can be exploited independently, meaning that not all affected releases will necessarily harbor all three CVEs.
By taking prompt action and keeping systems updated, organizations can significantly reduce their risk of compromise.
