Cisco issued a patch July 16 for a maximum-severity 10.0 input validation bug in an API of Cisco Identity Services Engine (ISE) and Cisco ISE-PIC.The bug the company patched — CVE-2025-20337 — was similar to a patch Cisco released just three weeks ago on June 25 for CVE-2025-20281, also a 10.0 vulnerability.In both cases the maximum-severity vulnerability was in a specific API of Cisco ISE that could let an unauthenticated remote attacker to execute arbitrary code on the underlying operating system as root.What makes it especially dangerous is the attacker does not require any valid credentials to exploit this vulnerability. An attacker could exploit the vulnerability by submitting a crafted API request.Both were flaws in Cisco ISE products, which raised eyebrows among some security experts.“Cisco’s disclosure of CVE-2025-20337 highlights a troubling pattern in API-exposed infrastructure: insufficient input validation leading to unauthenticated remote code execution,” said Randolph Barr, chief information security officer at Cequence Security. “With a CVSS score of 10.0, this is a worst-case scenario. Attackers can remotely gain root access without credentials or user interaction.”Barr added that while it’s positive that Cisco was transparent and swiftly released patches, the reality is that patching these types of vulnerabilities — especially in large, distributed enterprise environments — is not instantaneous. Barr explained that restart requirements and dependencies on high-availability setups often delay full remediation.“What’s particularly concerning in 2025 is the role of generative AI in democratizing exploitation,” said Barr. “Attackers with little technical experience can now use AI to identify exposed Cisco ISE systems, craft malicious API requests, and launch targeted attacks significantly accelerating the threat window. This means organizations need to assume patching alone is not fast enough.”Sagy Kratu, senior product manager at Vicarius, added that the industry now sees more critical flaws in enterprise-grade products because complexity and velocity have outpaced secure development. Kratu pointed out that this is the second maximum-severity flaw in a Cisco ISE in three weeks.“Cisco ISE isn’t just another tool — it’s embedded deep in network access control, enforcing authentication, segmentation, and device trust,” said Kratu. “When the system that’s supposed to enforce trust becomes the risk itself, it’s a wake-up call, and raises a tough question: What’s my Plan B?”Kratu offered the following tips to organizations for how to respond when trusted systems show flaws:
- Assume breach by default: Design the architecture expecting even core systems to fail or be exploited.
- Isolate critical systems: Use network segmentation and access boundaries to reduce blast radius.
- Implement out-of-band monitoring: Don’t rely solely on the vendor’s logs or controls, watch from the outside, too.
- Limit privilege scope: Apply strict least-privilege policies and time-bound access for administrative accounts.
- Have a vendor-agnostic playbook: Be ready to disable, patch around, or replace critical components fast.
