Cisco Confirms Active Exploits Targeting ISE Flaws Enabling Unauthenticated Root Access

July 22, 2025 invoker category_news

Security Update News

Update Information

Title Cisco Confirms Active Exploits Targeting ISE Flaws Enabling Unauthenticated Root Access
Update ID THN:5DA7746653064E14DE6FC516F20E0611
Type thn
Published 2025-07-22T13:08:00
Last Updated 2025-07-22T13:12:55

Security Impact

CVSS Score 10.0
Severity CRITICAL

Affected CVEs

  • CVE-2025-20281
  • CVE-2025-20282
  • CVE-2025-20337

Update Details

![Active Exploits Targeting ISE Flaws](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)

Cisco on Monday updated its advisory of a set of recently disclosed security flaws in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) to acknowledge active exploitation.

“In July 2025, the Cisco PSIRT [Product Security Incident Response Team], became aware of attempted exploitation of some of these vulnerabilities in the wild,” the company said in an alert.

The network equipment vendor did not disclose which vulnerabilities have been weaponized in real-world attacks, the identity of the threat actors exploiting them, or the scale of the activity.

Cisco ISE plays a central role in network access control, managing which users and devices are allowed onto corporate networks and under what conditions. A compromise at this layer could give attackers unrestricted access to internal systems, bypassing authentication controls and logging mechanisms—turning a policy engine into an open door.

The vulnerabilities outlined in the alert are all critical-rated bugs (CVSS scores: 10.0) that could allow an unauthenticated, remote attacker to issue commands on the underlying operating system as the root user –

* **CVE-2025-20281 **and**CVE-2025-20337** \- Multiple vulnerabilities in a specific API that could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root
* **CVE-2025-20282** \- A vulnerability in an internal API that could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device and then execute those files on the underlying operating system as root

![Cybersecurity](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)

While the first two flaws are the result of insufficient validation of user-supplied input, the latter stems from a lack of file validation checks that would prevent uploaded files from being placed in privileged directories on an affected system.

As a result, an attacker could leverage these shortcomings by submitting a crafted API request (for CVE-2025-20281 and CVE-2025-20337) or uploading a crafted file to the affected device (for CVE-2025-20282).

In light of active exploitation, it’s essential that customers upgrade to a fixed software release as soon as possible to remediate these vulnerabilities. These flaws are exploitable remotely without authentication, placing unpatched systems at high risk of pre-auth remote code execution—a top-tier concern for defenders managing critical infrastructure or compliance-driven environments.

Security teams should also review system logs for suspicious API activity or unauthorized file uploads, especially in externally exposed deployments.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

View Advisory Details

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.