Critical Cisco ISE Flaw: Unauthenticated Attackers Can Execute Commands as Root
Share this article
A critical vulnerability in Cisco's Identity Services Engine (ISE) has sent shockwaves through the cybersecurity community, exposing networks to pre-authentication attacks that could grant attackers full administrative control. Designated as CVE-2025-20337, this flaw stems from insufficient input validation in the API, allowing remote, unauthenticated attackers to submit specially crafted requests that execute arbitrary commands or store malicious files. With a perfect 10.0 CVSS severity rating, it poses one of the gravest threats to enterprise security infrastructure this year, emphasizing the relentless risks in network access control systems.
The Anatomy of the Threat
Discovered by Kentaro Kawane of Japan's GMO Cybersecurity by Ierae and disclosed through Trend Micro's Zero Day Initiative (ZDI), the vulnerability affects Cisco ISE and ISE-PIC releases 3.3 and 3.4. Attackers can exploit it without credentials, potentially compromising devices to:
- Execute code with root privileges
- Upload and run malicious payloads
- Bypass critical security controls
This flaw was added to an existing security bulletin alongside two other maximum-severity RCE vulnerabilities (CVE-2025-20281 and CVE-2025-20282), creating a trifecta of risks. Cisco explicitly warns that patching one does not mitigate the others, necessitating comprehensive updates. As stated in their advisory:
"These vulnerabilities affect Cisco ISE and ISE-PIC releases 3.3 and 3.4, regardless of device configuration... and do not impact Release 3.2 or earlier."
Patch Urgency and Affected Versions
No in-the-wild exploitation has been observed yet, but the absence of workarounds heightens the urgency. Administrators must upgrade to specific patched releases to address all three critical CVEs. The table below outlines the fixes:
| Cisco ISE/ISE-PIC Release | Fixed in Patch for CVE-2025-20281 | Fixed in Patch for CVE-2025-20282 | Fixed in Patch for CVE-2025-20337 |
|---|---|---|---|
| 3.2 and earlier | Not vulnerable | Not vulnerable | Not vulnerable |
| 3.3 | 3.3 Patch 7 | Not vulnerable | 3.3 Patch 7 |
| 3.4 | 3.4 Patch 2 | 3.4 Patch 2 | 3.4 Patch 2 |
Cisco advises testing configurations and ensuring sufficient memory before upgrading, as botched patches could destabilize systems.
Broader Security Implications
Beyond the critical trio, Cisco's latest advisories include four additional vulnerabilities:
- CVE-2025-20274: High-severity arbitrary file upload in Unified Intelligence Center (fixed in 12.5(1) SU ES05/12.6(2) ES05).
- CVE-2025-20272: Medium-severity SQL injection in Prime Infrastructure/EPNM (fixed in 3.10.6 SU2/8.0.1/8.1.1).
- CVE-2025-20283/20284/20285: Medium-severity RCE and IP bypass flaws in ISE (fixed in 3.3 Patch 7/3.4 Patch 2).
- CVE-2025-20288: Medium-severity SSRF in Unified Intelligence Center (fixed in 12.5(1) SU ES05/12.6(2) ES05).
These disclosures underscore a pattern of input validation failures in Cisco's ecosystem, highlighting how API endpoints remain a lucrative attack surface. For security teams, this incident reinforces the non-negotiable need for rigorous patch management—especially in identity services that act as gatekeepers to critical resources. In an era where supply chain attacks proliferate, delaying updates even briefly could cascade into organizational compromise, making proactive defense the only viable strategy.
Source: BleepingComputer