The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released an urgent warning concerning several actively exploited, critical vulnerabilities affecting Cisco’s Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC). These security flaws have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog following reports of real-world exploitation, putting organizations at significant risk if not promptly addressed.
Details of the Vulnerabilities
CISA and Cisco have identified three critical vulnerabilities—each with a maximum CVSS severity score of 10—affecting Cisco ISE and ISE-PIC, specifically versions 3.3 and 3.4:
- CVE-2025-20281: Allows unauthenticated remote attackers to execute arbitrary code as root via a vulnerable API endpoint.
- CVE-2025-20337: Involves unsafe deserialization within the same API, enabling privilege escalation and command execution as root by unauthenticated attackers.
- CVE-2025-20282: Permits unauthenticated, remote attackers to upload and execute arbitrary files with root privileges through an internal API.
Collectively, these vulnerabilities enable threat actors to bypass authentication and acquire full control over affected systems.
Exploitation Status
Both CISA and Cisco have confirmed in-the-wild exploitation of these vulnerabilities as of July 2025. Furthermore, the publication of proof-of-concept exploit code is increasing the likelihood of widespread attacks, placing additional urgency on the need for immediate remediation.
One attack demonstration revealed that adversaries could exploit these flaws to escalate from a privileged Docker container to root access on the ISE host system, potentially compromising critical network access controls.
Mitigation and Recommendations
There are currently no viable workarounds for these vulnerabilities; patching is the only effective defense. Cisco has released software updates to address the issues, advising all organizations to upgrade to:
- ISE 3.3 Patch 7 or later
- ISE 3.4 Patch 2 or later
CISA has mandated that federal agencies apply these updates by August 18, 2025. However, all organizations leveraging Cisco ISE are strongly urged to take immediate action.
Recommended Steps:
- Immediate Patching: Update Cisco ISE and ISE-PIC installations to the latest available patches.
- Log Monitoring: Analyze system logs for anomalous API requests and unauthorized file uploads, particularly on systems exposed to the internet.
- Risk Assessment: Evaluate current network exposure and prioritize patching of externally accessible and mission-critical systems.
