Two 10.0 Cisco ISE bugs added to CISA list of exploited vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) placed two critical 10.0 Cisco Identity Service Engine (ISE) bugs on its Known Exploited Vulnerabilities (KEV) list July 28.

The two bugs — CVE-2025-20281 and CVE-2025-20337 — were first discovered by researchers at the Trend Micro Zero Day Initiative and were disclosed by Cisco on June 25.

The move by CISA to place the vulnerabilities on its KEV list follows a July 22 SC Media report that Cisco determined that the flaws were exploited in the wild.

Nic Adams, co-founder and CEO at 0rcus, explained that successfully exploiting the Cisco flaws on an ISE instance translates to unfettered control over a foundational component of enterprise network security.

Adams added that Cisco ISE acts as the central policy enforcement point, managing authentication, authorization, and accounting (AAA) for users and devices. Gaining root access lets an attacker bypass network access controls so an adversary can manipulate or disable network access policies, granting unauthorized access to internal network segments, critical infrastructure, and sensitive data, he said.

“This effectively neutralizes the primary purpose of ISE,” said Adams.

Lawrence Pingree, vice president at Dispersive, said teams running the latest version and patch of ISE will not be vulnerable to this very high exploited flaw.

“One reason ISE is so important is that it's an identity and authorization source for the network, so theoretically it can be tampered to potentially gather more credentials, trust relationship information, and change the behavior of network authorizations, such as make changes to user policies,” said Pingree. “So any related vulnerability to these types of systems is critical to patch.”