Cisco confirmed the attempted exploitation of max severity flaws in its Identity Services Engine (ISE) and ISE Passive Identity Connector.In an advisory updated Monday, Cisco said it was aware of exploitation attempts in the wild of “some” of the three CVSS 10.0 vulnerabilities in ISE disclosed over the past month.The first two vulnerabilities — tracked as CVE-2025-20281 and CVE-2025-20282 — were disclosed on June 25. The third, tracked as CVE-2025-20337, was disclosed on July 16.CVE-2025-20281 is due to insufficient validation of user-supplied input and could enable a remote, unauthenticated attacker to execute arbitrary code on the operating system as root without valid credentials.CVE-2025-20282 enables an unauthenticated, remote attacker to upload and execute arbitrary files as root on the operating system due to a lack of file validation checks on files placed in privileged directories.CVE-2025-20337 has a nearly identical description to CVE-2025-20281, allowing an unauthenticated, remote attacker to execute arbitrary code as root due to insufficient input validation.CVE-2025-20281 and CVE-2025-20337 are described as affecting a “specific API of Cisco ISE and Cisco ISE-PIC” and can be exploited by submitting a crafted API request, while CVE-2025-20282 is said to affect an “internal API of Cisco ISE and Cisco ISE-PIC” and can be exploited by uploading a crafted file.The three vulnerabilities do not rely on one another and can be exploited separately, Cisco noted.There are no workarounds for these vulnerabilities, and they can only be resolved by patching to fixed versions of ISE and ISE-PIC. CVE-2025-20281 and CVE-2025-20337 affect ISE and ISE-PIC releases 3.3 and 3.4 while CVE-2025-20282 affects release 3.4.For ISE instances the received the hot fixes ise-applyCSCwo99449_3.3.0.430_patch4-SPA.tar.gz or ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz, customers should upgrade to Release 3.3 Patch 7 or Release 3.4 Patch 2, as these hot patches do not address CVE-2025-20337.For instances running Release 3.3 Patch 6, customers should upgrade to Release 3.3 Patch 7, which contains additional fixes. Instances running Release 3.4 Patch 2 do not require additional upgrades, according to Cisco.Cisco products are commonly targeted by threat actors, with more than 75 Cisco vulnerabilities included in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog. None of the three max severity ISE/ISE-PIC vulnerabilities had not been added to CISA’s KEV catalog as of Tuesday afternoon.Cisco also patched a max severity flaw in its Unified Communications Manager and Communications Manager Session Management Edition on July 2, tracked as CVE-2025-20309. This vulnerability, which involved a static user credential for a root account, is not reported to have been exploited in the wild.
Identity, Vulnerability Management, Threat Intelligence, Patch/Configuration Management

Cisco warns of attempted exploitation of max severity ISE flaws

(Credit: Casimiro – stock.adobe.com)

Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



