Cisco fixed critical ISE flaws allowing Root-level remote code execution
June 26, 2025
Cisco released patches to address two critical vulnerabilities in ISE and ISE-PIC that could let remote attackers execute to code as root.
Cisco addressed two critical vulnerabilities, tracked as CVE-2025-20281 and CVE-2025-20282, in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that could allow remote, unauthenticated attackers to execute arbitrary code with root privileges.
“Multiple vulnerabilities in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an unauthenticated, remote attacker to issue commands on the underlying operating system as the root user.” reads the advisory.
CVE-2025-20281 (CVSS score of 10) affects Cisco ISE/ISE-PIC 3.3+, while CVE-2025-20282 (CVSS score of 10) impacts only version 3.4. Versions outside these ranges are not impacted.
CVE-2025-20281 is a critical flaw in Cisco ISE/ISE-PIC allowing unauthenticated remote attackers to execute code as root via a vulnerable API.
“This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request.” continues the advisory. “A successful exploit could allow the attacker to obtain root privileges on an affected device.”
The second flaw, tracked as CVE-2025-20282, is a critical issue in Cisco ISE/ISE-PIC allowing unauthenticated remote attackers to upload and execute files as root via an internal API.
“This vulnerability is due a lack of file validation checks that would prevent uploaded files from being placed in privileged directories on an affected system. An attacker could exploit this vulnerability by uploading a crafted file to the affected device.” reads the advisory. “A successful exploit could allow the attacker to store malicious files on the affected system and then execute arbitrary code or obtain root privileges on the system.”
The IT giant states that there are no workarounds that address these vulnerabilities.
The following table includes fixed releases:
| Cisco ISE or ISE-PIC Release | First Fixed Release for CVE-2025-20281 | First Fixed Release for CVE-2025-20282 |
|---|---|---|
| 3.2 and earlier | Not vulnerable | Not vulnerable |
| 3.3 | 3.3 Patch 6 ise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gz |
Not vulnerable |
| 3.4 | 3.4 Patch 2 ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz |
3.4 Patch 2 ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz |
The company’s Product Security Incident Response Team (PSIRT) is not aware of attacks in the wild exploiting these vulnerabilities.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Cisco)
