Critical Cisco ISE Vulnerability Threatens Cloud Deployments on AWS, Azure, and Oracle
Learn about the critical flaw in Cisco ISE affecting cloud deployments on AWS, Microsoft Azure, and Oracle. Discover the impact, mitigation strategies, and the importance of addressing this vulnerability for enhanced cybersecurity.
TL;DR
A critical vulnerability in Cisco ISE, tracked as CVE-2025-20286, allows unauthenticated attackers to access sensitive data and perform administrative actions in cloud deployments on AWS, Microsoft Azure, and Oracle Cloud Infrastructure. This flaw arises from improperly generated credentials, potentially compromising multiple deployments.
Introduction
Cisco has addressed a critical flaw in the Identity Services Engine (ISE) that poses significant risks to cloud deployments on AWS, Microsoft Azure, and Oracle Cloud Infrastructure. This vulnerability, identified as CVE-2025-20286 with a CVSS score of 9.9, enables unauthenticated remote attackers to access sensitive data, perform limited administrative actions, modify configurations, or disrupt services.
Vulnerability Overview
The vulnerability in Cisco ISE cloud deployments is caused by the system generating identical credentials across different instances using the same software version and cloud platform (AWS, Azure, or OCI). This results in multiple deployments sharing the same login details, making them vulnerable to attacks. An attacker could exploit this flaw by extracting credentials from one Cisco ISE instance and using them to access others, potentially gaining access to sensitive data, changing settings, or disrupting services1.
Impact and Exploitation
According to the advisory, this vulnerability exists because credentials are improperly generated when Cisco ISE is deployed on cloud platforms, resulting in different Cisco ISE deployments sharing the same credentials. These credentials are shared across multiple Cisco ISE deployments as long as the software release and cloud platform are the same. An attacker could exploit this vulnerability by extracting the user credentials from Cisco ISE that is deployed in the cloud and then using them to access Cisco ISE that is deployed in other cloud environments through unsecured ports1.
Discovery and Mitigation
Kentaro Kawane of GMO Cybersecurity discovered the vulnerability. Cisco PSIRT has confirmed that proof-of-concept code exists for the vulnerability but says there’s no evidence that the flaw has been actively exploited in attacks in the wild.
The flaw impacts the following versions:
| Cisco Identity Services Engine Release | First Fixed Release |
|---|---|
| 3.1 | Migrate to a fixed release. |
| 3.2 | Migrate to a fixed release. |
| 3.3 | 3.3P8 (November 2025) |
| 3.4 | 3.4P3 (October 2025) |
| 3.5 | Planned release (Aug 2025) |
There’s no direct workaround for the Cisco Identity Services Engine cloud vulnerability; however, Cisco has provided important mitigations that administrators can apply. First, limit access by allowing only trusted source IP addresses, either through cloud security groups or directly within the Cisco Identity Services Engine interface. For new installations, Cisco recommends running the application reset-config ise command on the cloud-based primary node to generate fresh credentials. Note: this will reset the system to factory settings, and restoring from a backup will bring back the original (potentially vulnerable) credentials.
Additional Resources
For further insights, check:
Conclusion
The critical vulnerability in Cisco ISE underscores the importance of vigilant cybersecurity practices, especially in cloud environments. By implementing the recommended mitigations and staying informed about potential threats, organizations can better protect their sensitive data and maintain the integrity of their cloud deployments.
For more details, visit the full article: source
References
-
Cisco Security Advisory (2025). “Cisco Security Advisory”. Cisco. Retrieved June 5, 2025. ↩︎ ↩︎2