Emergency Security Bulletin: Multiple Vulnerabilities affecting Cisco ISE API

https://www.redlegg.com/hubfs/Theme-2024/overlay-red.png featured image

By: RedLegg's Cyber Threat Intelligence Team

About:

RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.

VULNERABILITIES

Cisco ISE API Unauthenticated Remote Code Execution Vulnerability

CVSS Score: 10.0 (Critical)
Identifier: CVE-2025-20281
Exploit or POC: No known public exploit yet
Update: CVE-2025-20281 – Cisco Security Advisory

Description: CVE-2025-20281 is a critical vulnerability in Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC), affecting versions 3.3 and later. It results from insufficient validation of user-supplied input in a publicly exposed API, enabling an unauthenticated remote attacker to execute arbitrary code as the root user via a crafted API request. This flaw poses a severe security risk, permitting full system control without authentication.

Mitigation Recommendation:

Apply patches immediately to affected systems:

  • ISE/ISE-PIC 3.3: install Patch 6

  • ISE/ISE-PIC 3.4: install Patch 2
 
After patching, verify system integrity to ensure no unauthorized files or modifications are present.
 
Restrict network access to ISE and ISE-PIC management and API endpoints until updates are in place.

 
Note: While no exploitation has been observed in the wild, the vulnerability's pre-authentication root access potential makes it a high-priority fix. Prompt patching is essential to prevent potential compromise of critical identity management infrastructure.

 


Cisco Identity Services Engine (ISE) Unauthenticated Remote Code Execution Vulnerability

 

CVSS Score: 10.0 (Critical)
Identifier: CVE-2025-20282
Exploit or POC: No known public exploit yet
Update: CVE-2025-20282 – Cisco Security Advisory

Description: CVE-2025-20282 is a critical vulnerability in Cisco ISE and ISE Passive Identity Connector (ISE-PIC) version 3.4. The flaw arises due to inadequate file validation in an internal API, allowing an unauthenticated, remote attacker to upload a crafted file into privileged system directories. This uploaded file can then be executed, resulting in root-level command execution without any authentication needed. Exploitation of this vulnerability permits full takeover of the affected device.

Affected Versions:

  • Cisco ISE and ISE-PIC 3.4 (all builds prior to 3.4 Patch 2)

Mitigation Recommendation

Apply the patch for ISE-PIC 3.4 Patch 2 (build unifies both CVE-2025-20281 and CVE-2025-20282 fixes).
 
After patching, validate system integrity checks and verify no unauthorized files remain.
 
Restrict access to ISE management and API ports until full remediation is confirmed.


Note: Both CVE-2025-20281 and CVE-2025-20282 score 10.0 and allow root-level RCE without authentication. Cisco reports no current in-the-wild exploitation, but given their severity and ease of exploitation, immediate patching is strongly advised.