Cisco Patches Critical ISE Vulnerabilities Allowing Root-Level Remote Code Execution
Cisco has released patches to address critical vulnerabilities in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that could allow unauthenticated remote attackers to execute arbitrary code with root privileges.
TL;DR
Cisco has addressed two critical vulnerabilities in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that could allow unauthenticated remote attackers to execute arbitrary code with root privileges. The flaws, tracked as CVE-2025-20281 and CVE-2025-20282, affect specific versions of the software. Cisco has released patches to fix these issues and recommends immediate updates.
Cisco Patches Critical ISE Vulnerabilities
Cisco has released patches to address two critical vulnerabilities in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC). These vulnerabilities, if exploited, could allow unauthenticated remote attackers to execute arbitrary code with root privileges.
Vulnerability Details
The two critical vulnerabilities are tracked as:
- CVE-2025-20281: Affects Cisco ISE/ISE-PIC 3.3 and later versions.
- CVE-2025-20282: Affects only version 3.4.
Both vulnerabilities have a CVSS score of 10, indicating their severe nature.
CVE-2025-20281
This vulnerability allows unauthenticated remote attackers to execute code as root via a vulnerable API. According to Cisco’s advisory:
This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device.
CVE-2025-20282
This vulnerability allows unauthenticated remote attackers to upload and execute files as root via an internal API. Cisco’s advisory states:
This vulnerability is due to a lack of file validation checks that would prevent uploaded files from being placed in privileged directories on an affected system. An attacker could exploit this vulnerability by uploading a crafted file to the affected device. A successful exploit could allow the attacker to store malicious files on the affected system and then execute arbitrary code or obtain root privileges on the system.
Affected Versions and Patches
The following table includes the fixed releases for the vulnerabilities:
| Cisco ISE or ISE-PIC Release | First Fixed Release for CVE-2025-20281 | First Fixed Release for CVE-2025-20282 |
|---|---|---|
| 3.2 and earlier | Not vulnerable | Not vulnerable |
| 3.3 | 3.3 Patch 6 | Not vulnerable |
| 3.4 | 3.4 Patch 2 | 3.4 Patch 2 |
Cisco has stated that there are no workarounds to address these vulnerabilities, emphasizing the importance of applying the patches.
No Known Exploits
Cisco’s Product Security Incident Response Team (PSIRT) has not detected any attacks exploiting these vulnerabilities in the wild. However, users are strongly advised to update their systems to the patched versions to prevent potential exploits.
Conclusion
The critical vulnerabilities in Cisco ISE and ISE-PIC highlight the importance of timely security updates. Organizations using these systems should prioritize applying the patches to protect against potential remote code execution attacks. Staying vigilant and proactive in addressing security vulnerabilities is crucial for maintaining robust cybersecurity defenses.