Cisco on Wednesday introduced patches for 2 critical-severity vulnerabilities in Identification Companies Engine (ISE) and Cisco ISE Passive Identification Connector (ISE-PIC) that would result in distant code execution (RCE).
Exploitable with out authentication, the 2 flaws are tracked as CVE-2025-20281 and CVE-2025-20282 and have the utmost severity rating of 10/10. Each impression particular APIs inside the affected merchandise.
CVE-2025-20281 exists as a result of user-supplied enter is insufficiently validated, permitting distant, unauthenticated attackers to submit crafted API requests and execute arbitrary code with root privileges.
CVE-2025-20282 exists as a result of an absence of file validation checks permits attackers to position arbitrary recordsdata in privileged directories on a weak system.
“An attacker might exploit this vulnerability by importing a crafted file to the affected gadget. A profitable exploit might enable the attacker to retailer malicious recordsdata on the affected system after which execute arbitrary code or get hold of root privileges on the system,” Cisco explains in its advisory.
The bugs usually are not depending on each other, and the exploitation of both of them doesn’t require that the opposite is exploited. Moreover, Cisco says, software program variations affected by one flaw will not be impacted by the opposite.
CVE-2025-20281 impacts ISE and ISE-PIC releases 3.3 and later, and was fastened in ISE and ISE-PIC variations 3.3 patch 6 and three.4 patch 2. CVE-2025-20282 solely impacts ISE and ISE-PIC launch 3.4, no matter gadget configuration, and was addressed in ISE and ISE-PIC 3.4 patch 2.
Given the essential severity of each vulnerabilities, customers are suggested to use the obtainable patches as quickly as attainable.Commercial. Scroll to proceed studying.
On Wednesday, Cisco additionally introduced fixes for a medium-severity ISE flaw that would enable distant attackers to bypass authorization mechanisms and modify particular system settings, together with some resulting in a system restart.
Cisco says it’s not conscious of any of those vulnerabilities being exploited within the wild. Further info will be discovered on the corporate’s safety advisories web page.
Associated: Excessive-Severity Vulnerabilities Patched by Cisco, Atlassian
Associated: Cisco Patches Vital ISE Vulnerability With Public PoC
Associated: Technical Particulars Printed for Vital Cisco IOS XE Vulnerability
