Cisco is warning that three recently patched critical remote code execution vulnerabilities in Cisco Identity Services Engine (ISE) are now being actively exploited in attacks.
Although the vendor did not specify how they were being exploited and whether they were successful, applying the security updates as soon as possible is now critical.
“In July 2025, the Cisco PSIRT became aware of attempted exploitation of some of these vulnerabilities in the wild,” reads the updated advisory.
“Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate these vulnerabilities.”
Cisco Identity Services Engine (ISE) is a platform that enables large organizations to control network access and enforce security policies.
The maximum severity flaws were first disclosed by the vendor on June 25, 2025 (CVE-2025-20281 and CVE-2025-20282) and July 16, 2025 (CVE-2025-20337).
Here’s a brief description of the flaws:
CVE-2025-20281: Critical unauthenticated remote code execution vulnerability in Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC). An attacker can send crafted API requests to execute arbitrary commands as root on the underlying OS, without authentication. Fixed in ISE 3.3 Patch 7 and 3.4 Patch 2.
CVE-2025-20282: Critical unauthenticated arbitrary file upload and execution vulnerability in Cisco ISE and ISE-PIC Release 3.4. Lack of file validation allows attackers to upload malicious files into privileged directories and execute them as root. Fixed in ISE 3.4 Patch 2.
CVE-2025-20337: Critical unauthenticated remote code execution vulnerability affecting Cisco ISE and ISE-PIC. Exploitable via specially crafted API requests due to insufficient input validation, allowing attackers to gain root access without credentials. Fixed in ISE 3.3 Patch 7 and 3.4 Patch 2.
All three are rated at maximum severity (CVSS score: 10.0) and are remotely exploitable without requiring authentication, making them valuable targets for hackers seeking to gain a foothold on corporate networks.
Cisco previously released two separate hot patches for the three flaws due to the time difference in their discovery. To mitigate all of them at once, admins are recommended to take the following action:
- ISE 3.3 users must upgrade to Patch 7
- ISE 3.4 users must upgrade to Patch 2
Those on ISE 3.2 or earlier are not affected and do not need to take any action.
There are no workarounds for the three vulnerabilities, so applying the updates is the only recommended course of action.
Contain emerging threats in real time – before they impact your business.
Learn how cloud detection and response (CDR) gives security teams the edge they need in this practical, no-nonsense guide.
