Cisco warns of critical flaws in Identity Services Engine rated 10.0

Cisco issued an advisory Wednesday to address multiple flaws in its Identity Services Engine (ISE) platform.

The networking giant issued a warning over a pair of security vulnerabilities in the ISE system and multiple appliances. The issues are serious enough to warrant a 10.0 CVSS rating and a critical security classification.

“Multiple vulnerabilities in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an unauthenticated, remote attacker to issue commands on the underlying operating system as the root user,” Cisco said of the flaws.

Administrators are advised to check and update their network infrastructure to patch the vulnerabilities.

Cisco noted there are no mitigations for either of the flaws and the only remedy is to patch any appliances running Cisco ISE and Cisco ISE-PIC versions 3.3 and 3.4. Earlier versions of the platform are not believed to be affected.

The first of the flaws is listed as CVE-2025-20281 and concerns an input validation flaw within the API used by both ISE and ISE-PIC versions 3.3 and later.

The vulnerability essentially allows a remote attacker to send a data request containing specially crafted commands that allow for remote takeover of the targeted system.

“This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request,” Cisco said of the vulnerability.

“A successful exploit could allow the attacker to obtain root privileges on an affected device.”

In practice, the flaw could be leveraged by a threat actor as the first step in installing a remote shell or other malware payloads on a targeted system and gaining a foothold for a larger network infiltration.

Cisco noted that the flaw could be exploited remotely without the need for any valid user credentials on the targeted system.

The second flaw, designated CVE-2025-20282, also concerns remote code execution vulnerabilities in what Cisco terms an “internal API” used by both ISE and ISE-PIC versions 3.4 and later.

The vulnerability is down to the improper handling of uploaded files allowing for arbitrary file execution. In practice, the flaw could be leveraged by an attacker to upload and execute malware payloads without any checks or scanning.

“This vulnerability is due a lack of file validation checks that would prevent uploaded files from being placed in privileged directories on an affected system,” Cisco said.

“A successful exploit could allow the attacker to store malicious files on the affected system and then execute arbitrary code or obtain rootprivileges on the system.”

Cisco noted that, while the flaws are being patched as a pair, each can be targeted separately and both hold a maximum CVSS rating of 10.0.

“The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit the other vulnerability,” the company said.

“In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerability.”