Cisco has released patches to address three vulnerabilities with public exploit code in its Identity Services Engine (ISE) and Customer Collaboration Platform (CCP) solutions.
The most severe of the three is a critical static credential vulnerability tracked as CVE-2025-20286, found by GMO Cybersecurity’s Kentaro Kawane in Cisco ISE. This identity-based policy enforcement software provides endpoint access control and network device administration in enterprise environments.
The vulnerability is due to improperly generated credentials when deploying Cisco ISE on cloud platforms, resulting in shared credentials across different deployments.
Unauthenticated attackers can exploit it by extracting user credentials from Cisco ISE cloud deployments and using them to access installations in other cloud environments. However, as Cisco explained, threat actors can exploit this flaw successfully only if the Primary Administration node is deployed in the cloud.
“A vulnerability in Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) cloud deployments of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems,” the company explained.
“The Cisco PSIRT is aware that proof-of-concept exploit code is available for the vulnerability that is described in this advisory.”
Cisco added that the following ISE deployments are not vulnerable to attacks:
- All on-premises deployments with any form factors where artifacts are installed from the Cisco Software Download Center (ISO or OVA). This includes appliances and virtual machines with different form factors.
- ISE on Azure VMware Solution (AVS)
- ISE on Google Cloud VMware Engine
- ISE on VMware cloud in AWS
- ISE hybrid deployments with all ISE Administrator personas (Primary and Secondary Administration) on-premises with other personas in the cloud.
The company advises admins still waiting for a hotfix or who cannot immediately apply the hotfixes released today to run the application reset-config ise command on the Primary Administration persona cloud node to reset user passwords to a new value.
However, admins should also be aware that this command will reset Cisco ISE to the factory configuration and that restoring backups will also restore the original credentials.
The other two security bugs with proof-of-concept exploit code patched today are an arbitrary file upload (CVE-2025-20130) in Cisco ISE and an information disclosure (CVE-2025-20129) in the Cisco Customer Collaboration Platform (formerly Cisco SocialMiner).
In September, Cisco patched another ISE flaw, a command injection vulnerability with public exploit code that can let attackers escalate privileges to root on unpatched systems.
Manual patching is outdated. It’s slow, error-prone, and tough to scale.
Join Kandji + Tines on June 4 to see why old methods fall short. See real-world examples of how modern teams use automation to patch faster, cut risk, stay compliant, and skip the complex scripts.
