CISA Issues Warning on Exploited Vulnerabilities in Cisco Identity Services Engine

The Cybersecurity and Infrastructure Security Agency (CISA) has added two critical Cisco Identity Services Engine vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, warning that threat actors are actively exploiting these vulnerabilities in real-world attacks.

The vulnerabilities, tracked as CVE-2025-20281 and CVE-2025-20337, affect Cisco ISE and Cisco ISE-PIC systems and allow attackers to achieve remote code execution with root privileges through crafted API requests.

CISA officially added both vulnerabilities to the KEV catalog on July 28, 2025, marking them as actively exploited threats that require immediate attention from organizations worldwide.

The vulnerabilities represent injection vulnerabilities in specific APIs within Cisco’s Identity Services Engine platform, a widely deployed network access control solution used by enterprises to manage device authentication and authorization policies.

Both CVE-2025-20281 and CVE-2025-20337 stem from insufficient validation of user-supplied input in Cisco ISE and ISE-PIC systems.

The vulnerabilities are classified under Common Weakness Enumeration (CWE-74), which covers injection vulnerabilities that occur when untrusted data is sent to an interpreter as part of a command or query.

This classification indicates that the vulnerabilities allow attackers to inject malicious code or commands into the system through specially crafted API requests.

The inclusion of these vulnerabilities in CISA’s authoritative KEV catalog signals that federal agencies and critical infrastructure organizations must treat these as high-priority security threats.

The KEV catalog serves as the definitive source for vulnerabilities that pose active risks to organizations, helping security teams prioritize their remediation efforts based on real-world exploitation evidence.

Cisco Identity Services Engine

The exploitation process involves submitting malicious API requests to vulnerable Cisco ISE systems, leveraging the insufficient input validation to inject harmful code.

Successful attacks enable threat actors to execute arbitrary commands on the targeted system with root-level privileges, providing complete administrative control over the affected infrastructure.

The technical severity of these vulnerabilities cannot be overstated, as root access allows attackers to modify system configurations, access sensitive authentication data, install persistent backdoors, and potentially move laterally within network environments.

Given that Identity Services Engine platforms typically handle critical network access control functions, compromise of these systems could lead to widespread network breaches and unauthorized access to protected resources.

Currently, CISA has not determined whether these vulnerabilities are being used specifically in ransomware campaigns, though the agency continues monitoring threat intelligence for such connections.

The unknown ransomware connection status requires organizations to remain vigilant for indicators of compromise and potential follow-on attacks that could leverage the initial ISE compromise for broader network infiltration.

Urgent Remediation Required by August 18

CISA has established August 18, 2025, as the mandatory remediation deadline for federal agencies, giving organizations just three weeks to address these critical vulnerabilities.

According to Report, Organizations should immediately inventory their Cisco ISE deployments, assess exposure levels, and implement available security updates or workarounds.

The agency recommends that affected organizations apply vendor-supplied mitigations according to Cisco’s security guidance, follow applicable Binding Operational Directive (BOD) 22-01 requirements for cloud services, or discontinue use of vulnerable products if effective mitigations remain unavailable.

The tight remediation timeline reflects the active exploitation status and potential for widespread impact across enterprise networks relying on Cisco’s identity management solutions.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.