CISA Alerts on Critical Vulnerabilities: Understanding Recent Cisco and PaperCut Issues
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a serious alert, adding three impactful vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. Among these are two significant remote code execution flaws within Cisco’s Identity Services Engine (ISE) and a cross-site request forgery (CSRF) vulnerability associated with PaperCut NG/MF software.
Critical Cisco ISE Vulnerabilities: CVE‑2025‑20281 and CVE‑2025‑20337
The initial two vulnerabilities, identified as CVE‑2025‑20281 and CVE‑2025‑20337, specifically target Cisco ISE and ISE-PIC versions 3.3 and 3.4. These vulnerabilities stem from inadequate input validation in the API, enabling attackers to send tailored requests that can execute commands on the system without requiring authentication. They have been assigned a CVSS score of 10.0, indicating a critical risk and the potential for complete system compromise.
Cisco first released a security advisory on June 25, warning that CVE‑2025‑20281 could permit unauthorized command execution with root privileges. Subsequently, on July 16, they updated the advisory to include CVE‑2025‑20337, citing increased signs of exploitation in real-world scenarios. Cisco confirmed instances of these attacks between July 21 and July 24, urging all customers to implement necessary updates immediately.
Given the pivotal role Cisco ISE plays in identity and access management within enterprise networks, exploiting these vulnerabilities could allow unauthorized users to breach security protocols and gain extensive control over critical IT infrastructure.
This Third Critical Cisco Vulnerability: CVE‑2025‑20282
While not officially listed in the KEV Catalog, Cisco also reported CVE‑2025‑20282, another unauthenticated remote code execution vulnerability. This specific flaw permits attackers to upload arbitrary files into protected directories within Cisco ISE version 3.4. Like the earlier vulnerabilities, it carries a CVSS score of 10.0. Although CISA hasn’t added it to the KEV list yet, its mention in Cisco’s advisory and evidence of exploitation suggest that it requires immediate attention.
Currently, there are no workarounds for any of the identified Cisco vulnerabilities. Cisco recommends upgrading to ISE/ISE-PIC version 3.3 Patch 7 or 3.4 Patch 2, emphasizing that previous hotfixes, such as Patch 4 or Patch 1, do not suffice.
Addressing PaperCut’s CSRF Vulnerability: CVE‑2023‑2533
The third vulnerability included in the KEV Catalog is CVE‑2023‑2533, a CSRF vulnerability in PaperCut NG/MF. Initially disclosed in June 2023, CISA’s decision to add this vulnerability highlights its continuing exploitation in the wild.
CVE‑2023‑2533 impacts PaperCut versions 21.2.0 to 22.0.12 across all major operating systems. The vulnerability allows an attacker to deceive a logged-in administrator into clicking a malicious link, which could lead to unauthorized alterations in system settings or the execution of arbitrary commands. It has a CVSS score of 8.4.
To mitigate this risk, PaperCut Software has released version 22.1.1, which includes a series of security enhancements, such as isolating script execution controls and restricting external executables. This release also addresses two additional vulnerabilities: CVE‑2023‑31046 (path traversal) and CVE‑2023‑39469 (a chained exploit scenario).
PaperCut has clarified that only the core application and site servers are affected by this vulnerability, leaving components like Direct Print Monitors, Mobility Print, Hive, Pocket, and MFD Embedded software unharmed.
Chronology of Recent Vulnerability Disclosures
- June 25, 2025: Cisco announces CVE‑2025‑20281.
- July 16, 2025: Cisco updates the advisory to include CVE‑2025‑20337.
- July 21–24, 2025: Evidence of exploitation confirmed in real-world attacks.
- Late July 2025: CISA adds CVE‑2025‑20281, CVE‑2025‑20337, CVE‑2025‑20282, and CVE‑2023‑2533 to the KEV Catalog.
While some sources may report a lack of confirmed public exploitation, the classification of these vulnerabilities by both Cisco and CISA reflects credible evidence of targeted attacks and widespread scanning activities.
Understanding the Risks to Enterprise Infrastructure
Cisco ISE is vital for network access control and user authentication. An attacker exploiting CVE‑2025‑20281 or CVE‑2025‑20337 could gain root access to critical systems, jeopardizing entire corporate networks. What amplifies the severity of these vulnerabilities is that they do not require credentials or user interactions, which significantly raises their threat level.
Conversely, while the PaperCut CSRF vulnerability may appear less critical, it still poses a substantial risk, especially when the PaperCut admin portal is exposed on public networks. CSRF vulnerabilities like CVE‑2023‑2533 can be exploited to surreptitiously change configurations or deploy malware under certain attack chains.
