Cisco Identity Services Engine (ISE) is vulnerable to two critical security flaws tracked as CVE-2025-20124 & CVE-2025-20125. Successful exploitation of the vulnerabilities may allow an authenticated, remote attacker to execute arbitrary commands and elevate privileges on an affected device. An attacker must have valid read-only administrative credentials to successfully exploit the vulnerabilities.
Cisco Identity Services Engine (ISE) is a network security system that helps ensure that only trusted users and devices can access resources on a network. ISE is a standard policy engine that enables endpoint access control and network device administration.
CVE-2025-20124: Cisco ISE Insecure Java Deserialization Vulnerability
The vulnerability existing in the API of Cisco ISE originates from an insecure deserialization of user-supplied Java byte streams by the affected software. An attacker may exploit the vulnerability by sending a crafted serialized Java object to an affected API. Successful exploitation of the vulnerability may allow an attacker to execute arbitrary commands on the device and elevate privileges.
It is important to note that successful exploitation of the vulnerability requires an attacker to have valid read-only administrative credentials. In a single-node deployment, new devices cannot authenticate during the reload time.
CVE-2025-20125: Cisco ISE Authorization Bypass Vulnerability
The vulnerability existing in the API of Cisco ISE originates from a lack of authorization in a specific API and improper validation of user-supplied data. An attacker may exploit the vulnerability by sending a crafted HTTP request to a specific API on the device. Successful exploitation of the vulnerability may allow an attacker to obtain information, modify system configuration, and reload the device.
It is important to note that successful exploitation of the vulnerability requires an attacker to have valid read-only administrative credentials. In a single-node deployment, new devices cannot authenticate during the reload time.
Affected Versions
The vulnerabilities affect Cisco Identity Services Engine (ISE) version 3.0 to 3.3.
Mitigation
- Cisco Identity Services Engine (ISE) 3.1P10
- Cisco Identity Services Engine (ISE) 3.2P7
- Cisco Identity Services Engine (ISE) 3.3P4
For more information, please refer to Cisco Security Advisory (cisco-sa-ise-multivuls-FTW9AOXF).
Qualys Detection
Qualys customers can scan their devices with QID 317599 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
