Cisco has disclosed three major security vulnerabilities in its Identity Services Engine (ISE) and ISE-PIC platforms. Two of them are critical remote code execution (RCE) flaws that can be exploited without authentication, allowing full system compromise. These flaws are highly impactful for organizations using ISE for centralized network access control.
CVE-2025-20281 – Unauthenticated API Remote Code Execution
🔍 Description:
An unauthenticated attacker can exploit a vulnerability in the web-based management interface by sending specially crafted API requests. Successful exploitation allows execution of arbitrary operating system commands as the root user, enabling full takeover of the ISE appliance.
📌 Technical Notes:
- Located in an exposed API endpoint.
- Exploitation is possible remotely with no credentials.
- Affects the core functionality of ISE used for AAA services.
🧱 Affected Versions:
- Cisco ISE and ISE-PIC 3.3 and 3.4 (pre-patch versions)
🛠️ Fixed In:
- ISE/ISE-PIC 3.3 Patch 6
- ISE/ISE-PIC 3.4 Patch 2
CVE-2025-20282 – Unauthenticated File Upload and RCE via Internal API
🔍 Description:
This vulnerability allows a remote attacker to upload malicious files via an unauthenticated internal API and execute them with root privileges.
📌 Technical Notes:
- Abuses weak validation in file handling mechanisms.
- Can be chained with CVE-2025-20281 for broader lateral movement.
- Ideal for attackers to establish persistent backdoors.
🧱 Affected Versions:
- Cisco ISE/ISE-PIC 3.4 only
🛠️ Fixed In:
- ISE/ISE-PIC 3.4 Patch 2
CVE-2025-20264 – SAML SSO Authorization Bypass
🔍 Description:
In environments using SAML-based Single Sign-On (SSO), a vulnerability allows authenticated users to bypass proper authorization checks. This could lead to unauthorized system changes, including rebooting the system or modifying core configurations.
📌 Technical Notes:
- Requires valid SAML session, but not elevated role.
- Risk of privilege escalation and disruption.
- Primarily affects multi-admin environments with role-based access.
🧱 Affected Versions:
- Cisco ISE 3.2 – 3.4
🛠️ Fixed In:
- ISE 3.4 Patch 2
- ISE 3.3 Patch 5
- ISE 3.2 Patch 8 (expected in Nov 2025)
📣 Cisco Advisory Highlights
- Advisory Release Date: June 25, 2025
- Cisco confirmed no workarounds are available; patching is the only mitigation.
- Exploitation may be trivial if external management access is not properly restricted.
- Vulnerabilities were also highlighted by CISA, CIS, and global CERTs due to critical risk.
