Cisco ISE Vulnerabilities Allows Remote Command Execution

Cisco has issued a critical advisory for its Identity Services Engine (ISE) and Passive Identity Connector (ISE-PIC), revealing two unauthenticated remote code execution vulnerabilities that allow attackers to execute commands as root on affected systems.

The vulnerabilities, which hold a maximum CVSS severity rating of 10.0, affect versions 3.3 and above, with no workarounds currently available. Software patches have been released to tackle these critical security holes.

The vulnerabilities, tracked as CVE-2025-20281 and CVE-2025-20282, expose unpatched ISE and ISE-PIC deployments to severe risk by enabling attackers without valid credentials to take full control of targeted systems.

• CVE-2025-20281 impacts ISE and ISE-PIC versions 3.3 and later. An attacker can exploit a flaw in a specific API with a crafted request, triggering execution of arbitrary code as the root user on the underlying system.
  
• CVE-2025-20282 affects only version 3.4 of ISE and ISE-PIC. This bug allows remote attackers to upload arbitrary files into privileged directories, which can then be executed with root privileges.

In both cases, successful exploitation grants the attacker the ability to fully compromise an affected device, including running malicious code, stealing sensitive data, or further infiltrating networked assets.

Cisco ISE Vulnerabilities

Cisco advisory (ID: cisco-sa-ise-unauth-rce-ZAd2GnJ6) stresses there are no viable workarounds to mitigate these vulnerabilities.

With both vulnerabilities rated critical and allowing exploitation with no user interaction or credentials, the threat to enterprise environments is considered severe.

To protect their networks, organizations must urgently apply the recommended software updates.

The fixed releases for affected versions are as follows:

• ISE/ISE-PIC 3.3: Upgrade to 3.3 Patch 6 (ise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gz).
• ISE/ISE-PIC 3.4: Upgrade to 3.4 Patch 2 (ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz).

Security Implications

Organizations using Cisco ISE versions 3.3 or later are strongly advised to patch as soon as possible to avoid potential compromise.

These issues stem from insufficient input validation and lack of file validation in ISE APIs. Exploits could be leveraged by attackers to disrupt operations, exfiltrate data, or install persistent backdoors with root access.

At the time of writing, Cisco’s PSIRT has not observed any public exploitation or reports of attacks in the wild.

The vulnerabilities were responsibly disclosed by researchers Bobby Gould of Trend Micro Zero Day Initiative, and Kentaro Kawane of GMO Cybersecurity by Ierae in collaboration with Trend Micro.

Those lacking support contracts may obtain fixes by contacting Cisco Technical Assistance Center, providing proof of entitlement.

This incident underscores the importance of timely patch management and vigilance around privileged access in network security infrastructure.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.