Two critical security vulnerabilities in Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) could allow unauthenticated remote attackers to execute arbitrary commands on affected systems with root privileges.
The vulnerabilities, tracked as CVE-2025-20281 and CVE-2025-20282, both carry the maximum CVSS base score of 10.0, indicating their severity and potential impact on enterprise network security infrastructure.
The first vulnerability, CVE-2025-20281, affects Cisco ISE and ISE-PIC releases 3.3 and later versions. This security flaw exists in a specific API endpoint and stems from insufficient validation of user-supplied input.
An attacker can exploit this vulnerability by submitting a crafted API request without requiring any valid authentication credentials.
The vulnerability follows the Common Weakness Enumeration classification CWE-74 for improper neutralization of special elements in output.
The attack vector for CVE-2025-20281 involves network-based exploitation with low attack complexity, requiring no user interaction.
Attackers can craft malicious API requests that bypass input validation controls and execute arbitrary commands on the target system.
The second vulnerability, CVE-2025-20282, is more targeted, affecting only Cisco ISE and ISE-PIC Release 3.4. This flaw exists in an internal API and allows attackers to upload arbitrary files to affected devices.
The vulnerability occurs due to a lack of file validation checks that would prevent uploaded files from being placed in privileged directories on the system.
Once malicious files are uploaded, attackers can execute them on the underlying operating system with root privileges. For CVE-2025-20282, the exploitation method involves uploading crafted files through the vulnerable internal API.
The lack of proper file validation allows attackers to place malicious executables in privileged system directories, subsequently achieving code execution with elevated privileges.
The CVSS vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H indicates maximum impact across confidentiality, integrity, and availability domains.
Both vulnerabilities enable unauthenticated remote code execution (RCE), meaning attackers do not need to bypass authentication mechanisms or obtain valid credentials before launching attacks.
The vulnerabilities were responsibly disclosed by security researchers Bobby Gould of Trend Micro Zero Day Initiative and Kentaro Kawane of GMO Cybersecurity by Ierae, working with the Zero Day Initiative.
| CVEs | Affected Products | Impact | Exploit Prerequisites | CVSS 3.1 Score |
| CVE-2025-20281 | Cisco ISE and ISE-PIC releases 3.3 and later | Unauthenticated remote code execution | No authentication required | 10.0 (Critical) |
| CVE-2025-20282 | Cisco ISE and ISE-PIC Release 3.4 only | Arbitrary file upload | No authentication required | 10.0 (Critical) |
Cisco has released software updates addressing both vulnerabilities, with no available workarounds to mitigate the security risks.
For CVE-2025-20281, affected ISE 3.3 installations require 3.3 Patch 6 with the specific patch file ise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gz.
ISE 3.4 systems need 3.4 Patch 2 using ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz. CVE-2025-20282 remediation requires ISE 3.4 systems to apply the same 3.4 Patch 2 release.
The Cisco Product Security Incident Response Team (PSIRT) has confirmed no public exploitation attempts or malicious use of these vulnerabilities.
Organizations running affected Cisco ISE versions should prioritize immediate patching due to the critical nature of these vulnerabilities and their potential to compromise the entire system.
Powered by
