The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three significant vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on July 28, 2025, following evidence of active exploitation. These include two vulnerabilities affecting Cisco Identity Services Engine (ISE) and one affecting the PaperCut NG/MF print management software.
Details on Newly Added Vulnerabilities
1. CVE-2025-20281 – Cisco ISE Injection Vulnerability
- Type: Injection flaw in Cisco Identity Services Engine (ISE) and Passive Identity Connector (ISE-PIC).
- Impact: Allows unauthenticated, remote attackers to execute arbitrary system commands as the root user. Successful exploitation gives attackers full control over the system.
- Technical Cause: Result of insufficient validation of user-supplied input in exposed APIs. Attackers can exploit via crafted API requests.
- CVSS Score: 10.0, indicating maximum severity.
- Mitigation: Cisco has issued software updates. Immediate patching is strongly recommended, as no workarounds exist.
2. CVE-2025-20337 – Cisco ISE Injection Vulnerability
- Type: Similar to CVE-2025-20281, this is another injection flaw in Cisco ISE and ISE-PIC.
- Impact: Also allows unauthenticated, remote attackers to execute commands on the underlying operating system with root privileges. Techniques are similar to CVE-2025-20281.
- Observed Attacks: Cisco and CISA have both confirmed exploitation attempts in the wild as of July 2025.
- Mitigation: As with CVE-2025-20281, patching to the latest fixed versions is crucial.
3. PaperCut NG/MF (CVE-2023-2533) – Cross-Site Request Forgery (CSRF) & Remote Code Execution
- Type: Critical CSRF vulnerability in PaperCut NG/MF.
- Impact: Under certain conditions, attackers can trick a logged-in administrator into executing unauthorized actions, such as changing settings or running code. Attackers may hijack privileged sessions through crafted malicious links.
- Ecosystem Impacted: Widely used in education, healthcare, and corporate environments. More than 70,000 organizations use PaperCut products worldwide.
- Threat Activity: Active exploitation has been observed, with attackers leveraging this flaw for remote code execution and lateral movement within networks.
- Mitigation: PaperCut released patches in June 2023. Admins must ensure servers are fully updated and monitor logs for suspicious admin activities.
CISA KEV Catalog & Action Items
CISA’s KEV catalog highlights vulnerabilities that pose severe risks due to active exploitation. Federal Civilian Executive Branch (FCEB) agencies are required by Binding Operational Directive 22-01 to patch these by August 18, 2025. All other organizations—including those in private sectors—are strongly urged to patch immediately to reduce exposure and risk.
Recommended Steps
- Patch immediately: Apply all available fixes for the affected Cisco ISE, ISE-PIC, and PaperCut NG/MF versions.
- Audit systems: Review exposure and search for indications of compromise, especially if patching was delayed.
- Restrict access: Harden external-facing admin interfaces, use strong user authentication, and monitor for unusual activity.
- Monitor CISA alerts: Subscribe to the KEV Catalog updates for rapid awareness of new critical threats.
Failure to remediate exposes organizations to ransomware, data theft, and additional systemic risks.
