Cisco patches Identity Services Engine flaw affecting AWS, Azure, OCI

Cisco on June 4 released patches for a flaw in cloud deployments of the Cisco Identity Services Engine (ISE) that could let attackers access sensitive data, execute limited administrative operations, modify system configuration, or disrupt services with impacted systems.

The flaw — CVE-2025-20286 — affected the cloud deployments of Amazon Web Services (AWS), Microsoft Azure, and the Oracle Cloud Infrastructure (OCI).

Cisco urged security teams to prioritize this patch. No exploitation in the wild has been reported.

Nic Adams, co-founder and CEO, 0rcus, explained that this Cisco ISE vulnerability is a nightmare on multiple fronts.

Any ISE deployment in AWS or Azure release 3.1 shares identical admin keys, said Adams, and 3.2 in AWS reuses the same key across every instance. Azure 3.2 clones Azure’s key pool, and then OCI 3.2 follows suit.

“Which means once an attacker extracts one credential, they can traverse across cloud tenants, harvest policy 'gold,' alter authentication realms, or disable enforcement modules without a single user click,” said Adams.

By contrast, the recent Cisco Wireless LAN Controller flaws required path traversal and token forging to escalate privileges on individual appliances, Adams continued. Thus, the ISE bug “shreds cloud identity chains” in one stroke, offering lateral movement, cross-region pivoting, and systemic takeover.

“Think of it as not a simple bypass, but rather a chain-of-trust rupture at-scale," said Adams.

James Maude, Field CTO at BeyondTrust, added that just when we thought the days of dealing with vendors using common default credentials were gone, or at least confined to the world of budget IoT devices, something like CVE-2025-20286 comes along and surprises us.

“While the credentials in this case are not entirely static, they are shared when the software release and cloud platform are the same,” said Maude. “This provides an opportunity to extract credentials from one deployment and use them to access others, making this a top priority to remediate, ideally by applying the hot fixes released as these also cover other vulnerabilities.”

Too many "critical" Cisco patches in one week?

News about the Cisco ISE flaw raised questions about how many “must fix” patches a security team can handle inside of a week.

“Nearly every ops squad can push two or three truly critical patches weekly — four if they automate approval gates, vuln scans, impact simulations, rollback playbooks across hybrid estates,” said 0rcus' Adams.

Prioritization revolves around the following: exploit availability (proof-of-concept or observed exploitation in wild), blast radius (shared credentials hitting thousands of cloud nodes), pre-auth versus post-auth requirement, data sensitivity (identity fabric versus peripheral services), or existence of temporary mitigations (network ACLs or forced credential resets). 

“Essentially, anything that bypasses authentication before user interaction or allows RCE on cloud-admin tiers jumps to the front, because everything else waits,” said Adams.

Rom Carmel, co-founder and CEO at Apono, said the ISE flaw is yet another example of how authentication failures can leave organizations vulnerable. Carmel said while authentication is a critical first step, real security comes from layered defenses: what is referred to in the security field as "defense-in-depth."

“In the cloud, access privileges are the keys to the kingdom,” said Carmel “Every identity, human or non-human, with standing privileged access increases exposure. Security leaders should work to minimize standing privileges and adopt a least-privilege model to reduce risk, especially in the event of an account takeover.”