Cisco Techniques has issued a essential safety advisory warning of a number of distant code execution vulnerabilities in its Id Companies Engine (ISE) which can be being actively exploited by attackers within the wild.
The vulnerabilities, carrying the utmost CVSS severity rating of 10.0, permit unauthenticated distant attackers to execute arbitrary instructions with root privileges on affected programs.
The networking big disclosed three separate vulnerabilities tracked as CVE-2025-20281, CVE-2025-20282, and CVE-2025-20337, all of which have an effect on Cisco ISE and ISE Passive Id Connector (ISE-PIC) deployments.
The corporate’s Product Safety Incident Response Group (PSIRT) confirmed in July 2025 that a few of these vulnerabilities are being exploited in energetic assaults, prompting pressing requires organizations to use patches instantly.
Cisco ISE RCE Vulnerability Exploited in Wild
Essentially the most extreme vulnerabilities, CVE-2025-20281 and CVE-2025-20337, stem from inadequate validation of user-supplied enter in particular APIs inside ISE variations 3.3 and three.4.
These flaws permit attackers to submit crafted API requests with none authentication, doubtlessly gaining root entry to focused programs. The third vulnerability, CVE-2025-20282, impacts solely ISE model 3.4 and entails an inner API that lacks correct file validation checks.
“An attacker might exploit these vulnerabilities by submitting a crafted API request,” Cisco defined in its advisory. “A profitable exploit might permit the attacker to acquire root privileges on an affected machine.”
The CVE-2025-20282 flaw allows attackers to add arbitrary recordsdata to privileged directories and subsequently execute them with root permissions.
All three vulnerabilities are categorized below Widespread Weak spot Enumeration classes CWE-269 (Improper Privilege Administration) and CWE-74 (Improper Neutralization of Particular Components in Output Utilized by a Downstream Part), highlighting elementary safety design points.
Cisco emphasised that no workarounds exist for these vulnerabilities, making instant patching the one viable protection technique. The corporate has launched enhanced mounted releases following preliminary patches that have been discovered to be incomplete.
Organizations working ISE Launch 3.4 Patch 2 require no additional motion, as this model accommodates all crucial fixes. Nevertheless, programs working ISE Launch 3.3 Patch 6 should improve to Launch 3.3 Patch 7 for full safety.
Cisco ISE or ISE-PIC ReleaseFirst Fastened Launch for CVE-2025-20281First Fastened Launch for CVE-2025-20282First Fastened Launch for CVE-2025-203373.2 and earlierNot vulnerableNot vulnerableNot vulnerable3.33.3 Patch 7Not vulnerable3.3 Patch 73.43.4 Patch 23.4 Patch 23.4 Patch 2
Cisco particularly warned that earlier scorching patches (ise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gz and ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz) failed to handle CVE-2025-20337 and have been withdrawn from distribution.
Lively Exploitation
The affirmation of in-the-wild exploitation considerably elevates the urgency of this safety problem.
Cisco ISE serves as a essential community entry management and coverage enforcement platform utilized by organizations worldwide to handle machine authentication and authorization. A profitable compromise might present attackers with intensive community visibility and management capabilities.
Safety researchers Bobby Gould of Development Micro Zero Day Initiative and Kentaro Kawane of GMO Cybersecurity by Ierae have been credited with discovering and reporting these vulnerabilities by accountable disclosure processes.
Cisco continues to observe for exploitation makes an attempt and strongly urges all affected prospects to prioritize these updates.
Organizations ought to confirm their ISE variations instantly and plan emergency upkeep home windows to use the mandatory patches, given the essential nature of those vulnerabilities and confirmed exploitation exercise.
Enhance detection, cut back alert fatigue, speed up response; all with an interactive sandbox constructed for safety groups -> Strive ANY.RUN Now
