A critical vulnerability (CVE-2025-20337) in Cisco’s Identity Services Engine (ISE) could be exploited to let an unauthenticated attacker store malicious files, execute arbitrary code, or gain root privileges on vulnerable devices.
The security issue received the maximum severity rating, 10 out of 10, and is caused by insufficient user-supplied input validation checks.
It was discovered by Kentaro Kawane, a researcher at the Japanese cybersecurity service GMO Cybersecurity by Ierae, and reported Trend Micro’s Zero Day Initiative (ZDI).
A remote unauthenticated attacker could leverage it by submitting a specially crafted API request
The vulnerability was added via an update to the security bulletin for CVE-2025-20281 and CVE-2025-20282, two similar RCE vulnerabilities that also received the maximum severity score, that impact ISE and ISE-PIC versions 3.4 and 3.3.
“These vulnerabilities affect Cisco ISE and ISE-PIC releases 3.3 and 3.4, regardless of device configuration,” the vendor notes for CVE-2025-20281 and CVE-2025-20337, adding that “these vulnerabilities do not affect Cisco ISE and ISE-PIC Release 3.2 or earlier.”
Any of the three security issues can be exploited independently.
Cisco also warns that customers who applied the patches for CVE-2025-20281 and CVE-2025-20282 are not covered from CVE-2025-20337, and need to upgrade to ISE 3.3 Patch 7 or ISE 3.4 Patch 2.
The product versions below are the only ones currently confirmed to address all three maximum severity vulnerabilities. Workarounds or other mitigations are not available.
| Cisco ISE or ISE-PIC Release | First Fixed Release for CVE-2025-20281 | First Fixed Release for CVE-2025-20282 | First Fixed Release for CVE-2025-20337 |
|---|---|---|---|
| 3.2 and earlier | Not vulnerable | Not vulnerable | Not vulnerable |
| 3.3 | 3.3 Patch 7 | Not vulnerable | 3.3 Patch 7 |
| 3.4 | 3.4 Patch 2 | 3.4 Patch 2 | 3.4 Patch 2 |
Although no exploitation of any of the three critical vulnerabilities has been observed in the wild as of yet, it is recommended that system administrators take immediate action to mitigate the risks.
Also yesterday, Cisco released four security advisories for less severe vulnerabilities (medium to high severity rating) in several of its products:
- CVE-2025-20274: High-severity arbitrary file upload vulnerability impacting Cisco Unified Intelligence Center, including Unified CCX bundles. Authenticated users with Report Designer privileges can upload malicious files and potentially execute them as root. Fixed in versions 12.5(1) SU ES05 and 12.6(2) ES05.
- CVE-2025-20272: Medium-severity blind SQL injection vulnerability in Cisco Prime Infrastructure and EPNM. Low-privileged users can exploit REST APIs to extract unauthorized database content. Resolved in Prime Infrastructure 3.10.6 SU2 and EPNM versions 8.0.1 and 8.1.1.
- CVE-2025-20283, CVE-2025-20284, CVE-2025-20285: Medium-severity authenticated RCE and IP access restriction bypass vulnerabilities in Cisco ISE and ISE-PIC. High-privileged users can execute commands as root or log in from unauthorized IPs. Affects versions 3.3 and 3.4; fixed in 3.3 Patch 7 and 3.4 Patch 2.
- CVE-2025-20288: Medium-severity SSRF vulnerability in Cisco Unified Intelligence Center, exploitable without authentication. Allows attackers to send arbitrary internal requests via the affected system. Impacts versions 12.5 and 12.6, including Unified CCX bundles. Fixed in 12.5(1) SU ES05 and 12.6(2) ES05.
Cisco notes that there no workarounds for any of the above vulnerabilities and advises customers to determine their risk exposure based on the vendor’s information and ensure that the devices have enough memory before considering an upgrade.
Additionally, administrators should test and confirm that current configurations for hardware and software components are properly supported by the newer Cisco product release.
Contain emerging threats in real time – before they impact your business.
Learn how cloud detection and response (CDR) gives security teams the edge they need in this practical, no-nonsense guide.
