Cisco on Wednesday knowledgeable clients of one other critical-severity vulnerability in Id Providers Engine (ISE) and ISE Passive Id Connector (ISE-PIC) that might result in distant code execution (RCE).
In an replace to a June 25 advisory detailing two such flaws, tracked as CVE-2025-20281 and CVE-2025-20282, the tech big added a contemporary CVE to the listing, alerting customers of its most severity score.
Tracked as CVE-2025-20337, the bug has a CVSS rating of 10/10, the identical as the opposite two points, and impacts the identical API as CVE-2025-20281.
“A number of vulnerabilities in a selected API of Cisco ISE and Cisco ISE-PIC might enable an unauthenticated, distant attacker to execute arbitrary code on the underlying working system as root. The attacker doesn’t require any legitimate credentials to use these vulnerabilities,” Cisco notes in its advisory.
The inadequate validation of user-supplied enter, the corporate explains, might enable an attacker to submit a crafted API request and acquire root privileges on an affected system.
The safety defects affect Cisco ISE and ISE-PIC variations 3.3 and three.4, and have been addressed in variations 3.3 patch 7 and three.4 patch 2.
On Tuesday, Cisco additionally introduced fixes for CVE-2025-20274 (CVSS rating of 6.3), a high-severity vulnerability within the web-based administration interface of Unified Intelligence Middle that might be exploited for arbitrary file uploads.
Improper validation of information uploaded to the interface permits authenticated, distant attackers to retailer malicious information on the system, resulting in the execution of arbitrary instructions. The flaw might be exploited to raise privileges to root, which will increase its severity, Cisco says.Commercial. Scroll to proceed studying.
Patches for the difficulty have been included in Unified Intelligence Middle variations 12.5(1) SU ES05 and 12.6(2) ES05. Cisco recommends that customers of Unified CCX variations 12.5(1) SU3 and earlier migrate to model 15, which isn’t affected.
The tech big additionally introduced patches for medium-severity safety defects in ISE and ISE-PIC, Advanced Programmable Community Supervisor (EPNM), Prime Infrastructure, and Unified Intelligence Middle.
Cisco says it’s not conscious of any of those vulnerabilities being exploited within the wild. Extra data will be discovered on the corporate’s safety advisories web page.
Associated: Cisco Warns of Hardcoded Credentials in Enterprise Software program
Associated: Excessive-Severity Vulnerabilities Patched by Cisco, Atlassian
Associated: Cisco Patches Crucial ISE Vulnerability With Public PoC
Associated: Technical Particulars Revealed for Crucial Cisco IOS XE Vulnerability
