On June 25, 2025, Cisco disclosed and patched two critical remote code execution (RCE) vulnerabilities: CVE-2025-20281 and CVE-2025-20282, affecting its widely deployed Identity Services Engine (ISE) and Passive Identity Connector (ISE-PIC).
Both flaws can be exploited without authentication or user interaction, posing a serious threat to the integrity of enterprise identity and access management systems.
CVE Overview
CVE-2025-20281 (CVSS 9.8)
- Affects ISE/ISE-PIC versions 3.3 and 3.4
- Attack vector: Crafted API request
- Flaw: No input validation in public-facing API
- Result: Full unauthenticated remote command execution as root
CVE-2025-20282 (CVSS 10.0)
- Affects ISE/ISE-PIC version 3.4 only
- Attack vector: Malicious file upload via internal API
- Flaw: No proper file validation
- Result: Attacker-controlled code executed from privileged directories with root privileges
These flaws don’t require chained exploitation. Either one can grant root without credentials or user interaction.
Why This Matters
Cisco ISE sits at the core of identity enforcement and is often integrated with Active Directory, VPN gateways, and NAC solutions. Gaining root on an ISE deployment doesn’t just mean owning a device. It means potentially rerouting, reauthorizing, or replaying identity logic at the network edge.
Both vulnerabilities target under-secured API surfaces. This continues a broader trend we’ve been tracking: exposed management interfaces and insufficient API hardening becoming the soft underbelly of enterprise infrastructure.
Exploitation Outlook
The vulnerabilities were disclosed only two days ago, so Cisco has stated that there is currently no evidence of in-the-wild exploitation. But the combination of:
- unauthenticated access
- remote root capability
- and enterprise ubiquity
…makes this a prime candidate for rapid weaponization. In particular, CVE-2025-20281 can be exploited using a single malformed API call, making it ideal for botnet scanners and low-skill actors once a proof-of-concept (PoC) is released.
Patching Details
There are no workarounds. Only patches. Here’s the breakdown:
| Affected Version | Patch for CVE-2025-20281 | Patch for CVE-2025-20282 |
| ISE 3.3 | Patch 6 | Not affected |
| ISE 3.4 | Patch 2 | Patch 2 |
If you are running ISE 3.2 or earlier, you are safe from these specific CVEs — but likely exposed to others. (Also, these versions are approaching or past end-of-support.)
If you’re an OP Innovate client using our WASP platform, our team has already begun proactive validation to identify:
- unpatched ISE instances
- exposed API surfaces
- indicators of scanning or exploit attempts
