CVE-2025-20286: Cloud Credential Reuse Exposes Cisco ISE to Remote Exploitation

CVE-2025-20286

Filip Dimitrov

June 6, 2025

Cisco Identity Services Engine Cloud Static Credential Vulnerability
 Date: June 6, 2025
Severity: Critical (CVSS 9.9)
Threat Level: HIGH
Exploitation Status: Proof-of-Concept (PoC) exploit publicly available

Executive Summary

On June 4, 2025, Cisco disclosed a critical vulnerability (CVE-2025-20286) affecting cloud deployments of Cisco Identity Services Engine (ISE). The vulnerability results from improperly generated static credentials, which are identical across all ISE instances deployed on the same cloud platform (AWS, Azure, OCI) and software version. 

Successful exploitation allows unauthenticated remote attackers to access sensitive data, modify configurations, execute administrative actions, or disrupt services.

While no active exploitation has been observed as of this writing, publicly available PoC exploit code increases the likelihood of threat actors leveraging this vulnerability in the near term. Cloud-based Cisco ISE Primary Administration Node deployments are at risk; on-premises deployments are not affected.

Affected Products

PlatformCisco ISE Vulnerable Versions
AWS3.1, 3.2, 3.3, 3.4
Azure3.2, 3.3, 3.4
OCI3.2, 3.3, 3.4

Note: Deployments where the Primary Administration Node is fully on-premises are not affected.

Technical Details

  • Root Cause: Improper credential generation during cloud deployment, causing identical static credentials across instances of the same version and platform.
  • Attack Scenario:
    • Attacker extracts credentials from a compromised ISE cloud deployment.
    • Credentials reused across other identical ISE deployments on the same cloud platform and version.
    • Allows cross-environment compromise via unsecured ports.
  • Impact if Exploited:
    • Access sensitive data
    • Execute limited administrative operations
    • Modify system configurations
    • Disrupt services
  • Vulnerability Class: CWE-259 (Use of Hard-coded Password)
  • CVSS 3.1 Score: 9.9 (Critical)
     

Exploitation Status

  • Public proof-of-concept exploit code is confirmed to exist.
  • No confirmed cases of active exploitation in the wild as of June 6, 2025.
  • Cisco and multiple CTI sources assess that adversaries may soon incorporate this vulnerability into attack chains, especially APTs or state-aligned actors historically targeting Cisco products.

Related Vulnerabilities

Cisco also disclosed two additional vulnerabilities during this release window that carry lower severity but may be relevant for broader risk assessments:

CVEProductSeverityNotes
CVE-2025-20130Cisco ISEMediumArbitrary file upload
CVE-2025-20129Cisco Customer Collaboration PlatformMediumInformation disclosure

PoC code exists for both vulnerabilities, along with CVE-2025-20188, which OP Innovate covered earlier this week. 

Mitigation & Recommendations

  • Immediate Action: Apply vendor-provided software updates.

Fixed versions:

ISE VersionFixed Release
3.1Migrate to fixed release
3.2Migrate to fixed release
3.33.3P8 (ETA Nov 2025)
3.43.4P3 (ETA Oct 2025)
3.5Planned fix (Aug 2025)

Hotfix (interim fix available):
 ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz for versions 3.1–3.4

Additional Mitigations:
Restrict ISE cloud access via Cloud Security Groups (IP whitelisting for trusted administrators)
Limit management access within ISE via source IP restrictions
For fresh deployments, reset credentials using application reset-config ise (note: factory reset risk)

Threat Landscape Context

  • Cisco products are frequent targets for advanced threat actors.
  • CISA’s Known Exploited Vulnerabilities (KEV) catalog historically contains multiple Cisco CVEs.
  • With cloud adoption expanding, vulnerabilities in cloud-specific configurations, such as static credential reuse, present an attractive opportunity for both state-sponsored and financially motivated attackers.

OP Innovate Assessment

Given the severity (CVSS 9.9), nature of exposure (unauthenticated remote access), cloud deployment dependency, and confirmed PoC availability, OP Innovate assesses CVE-2025-20286 as a high-priority vulnerability that requires immediate attention for any client operating Cisco ISE cloud deployments.

OP Innovate recommends:

  • Prioritized patching of all affected versions
  • Immediate review of cloud deployment architecture
  • Proactive monitoring for unusual authentication patterns across cloud-hosted Cisco ISE nodes
  • Internal threat hunting for potential unauthorized access leveraging these credentials

Stay Secure. Stay Informed.

OP Innovate Research Team.