CISA Updates Known Exploited Vulnerabilities Catalog with Cisco ISE and PaperCut NG/MF Flaws

TL;DR

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added critical vulnerabilities in Cisco ISE and PaperCut NG/MF to its Known Exploited Vulnerabilities (KEV) catalog. These vulnerabilities can allow unauthenticated remote attackers to execute arbitrary code with root privileges, posing significant security risks. Organizations are advised to update their systems immediately to mitigate these threats.

Main Content

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog to include critical flaws in Cisco ISE and PaperCut NG/MF. These vulnerabilities have been observed to be actively exploited in the wild, prompting urgent action from organizations to mitigate potential risks.

Vulnerabilities Added to the Catalog

The following vulnerabilities have been added to the KEV catalog:

• CVE-2025-20281: Cisco Identity Services Engine Injection Vulnerability
• CVE-2025-20337: Cisco Identity Services Engine Injection Vulnerability
• CVE-2023-2533: PaperCut NG/MF Cross-Site Request Forgery (CSRF) Vulnerability

Details of the Vulnerabilities

Cisco ISE Vulnerabilities

Cisco has confirmed that the recently disclosed vulnerabilities in Cisco ISE and ISE-PIC (CVE-2025-20281, CVE-2025-20282, CVE-2025-20337) are being actively exploited. These flaws allow unauthenticated remote attackers to execute arbitrary code with root privileges, posing a significant security risk.

“Multiple vulnerabilities in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an unauthenticated, remote attacker to issue commands on the underlying operating system as the root user.” ¹

In June, Cisco addressed the critical vulnerabilities CVE-2025-20281 and CVE-2025-20282, which affect Cisco ISE/ISE-PIC versions 3.3+ and 3.4, respectively. These vulnerabilities allow remote, unauthenticated attackers to execute arbitrary code with root privileges via vulnerable APIs.

• CVE-2025-20281: Affects Cisco ISE/ISE-PIC 3.3+, allowing unauthenticated remote attackers to execute code as root.
• CVE-2025-20282: Affects Cisco ISE/ISE-PIC 3.4, allowing unauthenticated remote attackers to upload and execute files as root.

Last week, Cisco also addressed CVE-2025-20337, a critical vulnerability with a CVSS score of 10. This flaw can be exploited to execute arbitrary code on the underlying operating system with root privileges.

PaperCut NG/MF Vulnerability

The vulnerability CVE-2023-2533 is a Cross-Site Request Forgery (CSRF) flaw in PaperCut NG/MF. Under specific conditions, this vulnerability could allow an attacker to alter security settings or execute arbitrary code. Experts warn that admin session hijacking is possible via a crafted malicious link, tricking logged-in admins to trigger unauthorized actions.

Mitigation Steps

According to the Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies must address the identified vulnerabilities by the due date to protect their networks against attacks exploiting these flaws. Private organizations are also strongly advised to review the Catalog and address the vulnerabilities in their infrastructure.

CISA has mandated that federal agencies fix these vulnerabilities by August 18, 2025.

Conclusion

The addition of these vulnerabilities to CISA’s KEV catalog underscores the urgent need for organizations to update their systems and implement robust security measures. Failure to address these flaws can result in severe security breaches, including unauthorized access and data compromise. Staying vigilant and proactive in managing security updates is crucial for maintaining a secure IT environment.

For more details, visit the full article: source

References

1. Cisco Security Advisory (2025). “Cisco Security Advisory”. Cisco. Retrieved 2025-07-28. ↩︎