Cisco addresses two critical severity vulnerabilities impacting Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC). Tracked as CVE-2025-20281 & CVE-2025-20282, both vulnerabilities have a CVSS score of 10. Successful exploitation of the vulnerabilities may allow an unauthenticated, remote attacker to issue commands on the underlying operating system as the root user.
Cisco Identity Services Engine (ISE) is a network security system that helps ensure that only trusted users and devices can access resources on a network. ISE is a standard policy engine that enables endpoint access control and network device administration.
Cisco ISE API Unauthenticated Remote Code Execution Vulnerability (CVE-2025-20281)
The vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC originates from insufficient validation of user-supplied input. An attacker does not require any valid credentials to exploit this vulnerability. An attacker may submit a crafted API request to exploit it. Successful exploitation of the vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code on the operating system as root.
Cisco ISE API Unauthenticated Remote Code Execution Vulnerability (CVE-2025-20282)
The vulnerability in Cisco ISE and Cisco ISE-PIC’s internal API originates from a lack of file validation checks that would prevent uploaded files from being placed in privileged directories on an affected system. An attacker may exploit this vulnerability by uploading a crafted file to the affected device. Successful exploitation of the vulnerability could allow the attacker to store malicious files on the affected system and then execute arbitrary code or obtain root privileges.
Affected Versions
CVE-2025-20281
The vulnerability affects Cisco ISE and ISE-PIC releases 3.3 and later, irrespective of device configuration.
CVE-2025-20282
The vulnerability affects only Cisco ISE and ISE-PIC Release 3.4, regardless of device configuration.
Note: These vulnerabilities do not affect Cisco ISE and ISE-PIC Release 3.2 or earlier.
Mitigation
CVE-2025-20281
- Cisco ISE and ISE-PIC 3.3 Patch 6 ise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gz
- Cisco ISE and ISE-PIC 3.4 Patch 2 ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz
CVE-2025-20282
- Cisco ISE and ISE-PIC 3.4 Patch 2 ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz
For more information, please refer to Cisco Security Advisory (cisco-sa-ise-unauth-rce-ZAd2GnJ6).
Qualys Detection
Qualys customers can scan their devices with QIDs 317666 and 317667 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
