Emergency Security Bulletin: Cisco Identity Services Engine (ISE) Static Credential Vulnerability

About:

RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.

VULNERABILITIES

Cisco Identity Services Engine (ISE) Static Credential Vulnerability

CVSS Score: 9.9 (Critical)
Identifier: CVE-2025-20286
Exploit or POC: Yes – Proof-of-concept exploit exists
Update: CVE-2025-20286 – Cisco Security Advisory

Description: CVE-2025-20286 is a critical vulnerability affecting Cisco Identity Services Engine (ISE) deployments on cloud platforms such as Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI). The vulnerability arises from the use of static credentials during deployment, resulting in multiple ISE instances sharing the same credentials within the same software release and cloud platform. An unauthenticated, remote attacker could exploit this flaw to access sensitive data, perform limited administrative operations, modify system configurations, or disrupt services on affected systems.

Affected Versions:

• AWS: Cisco ISE versions 3.1, 3.2, 3.3, and 3.4
  
  
• Azure: Cisco ISE versions 3.2, 3.3, and 3.4
  
  
• OCI: Cisco ISE versions 3.2, 3.3, and 3.4

Mitigation Recommendation: Cisco has released patches to address this vulnerability. Organizations using affected versions should upgrade immediately to prevent unauthorized access. If immediate patching is not feasible, it is strongly recommended to implement the following measures:

Note: Given the critical severity of this vulnerability and the existence of a proof-of-concept exploit, prompt action is essential to secure affected systems. Regularly reviewing and applying security updates is vital to maintaining the integrity and security of your infrastructure.