Cisco has issued patches for three high-severity vulnerabilities affecting its Identity Services Engine (ISE) and Customer Collaboration Platform (CCP), all of which have publicly available exploit code. The flaws include a static credential exposure in cloud deployments (CVE-2025-20286), an arbitrary file upload in ISE (CVE-2025-20130), and an information disclosure bug in CCP (CVE-2025-20129). These vulnerabilities could allow attackers to escalate privileges, exfiltrate data, or redirect sensitive traffic.
Summary for Security Leaders
The most critical issue is CVE-2025-20286, which exposes static credentials in Cisco ISE cloud deployments (AWS/Azure/OCI). Attackers can use these credentials to pivot across environments. A factory reset is required for mitigation if immediate patching isn’t feasible. The other vulnerabilities—CVE-2025-20130 and CVE-2025-20129—affect ISE’s web interface and CCP’s chat traffic handling, respectively. Public exploit code increases the urgency for remediation.
Technical Breakdown
CVE-2025-20286 (CVSS TBD): This flaw allows unauthenticated attackers to extract shared credentials from Cisco ISE cloud instances. Cisco’s advisory confirms the credentials are hardcoded in AWS/Azure/OCI deployments, enabling lateral movement. The fix requires applying ISE hotfixes or executing application reset-config ise, which triggers a factory reset1.
CVE-2025-20130 (Arbitrary File Upload): Exploitable via ISE’s web interface, this vulnerability could allow attackers to upload malicious files. Cisco has not released detailed PoC code, but BleepingComputer confirms public exploits exist3.
CVE-2025-20129 (Information Disclosure): Found in CCP, this flaw lets attackers redirect chat traffic to malicious servers via crafted HTTP requests. Cisco patched it in CCP 15.0(1)2.
Historical Context
Cisco ISE has faced similar issues in the past. In September 2024, a command injection flaw (CVE-2024-20469) with public exploits allowed root escalation. Earlier in February 2025, two critical ISE vulnerabilities (CVE-2025-20124/20125) enabled authenticated command execution4.
Mitigation Steps
- Patch ISE and CCP immediately using Cisco’s advisories1, 2.
- Reset static credentials in ISE cloud deployments if patching is delayed.
- Monitor for anomalous file uploads in ISE web interfaces.
- Segment networks to limit lateral movement risks.
Conclusion
With exploit code publicly available, these vulnerabilities pose significant risks, particularly to organizations using Cisco ISE for identity management. Prioritize patching and credential resets to mitigate potential breaches. Cisco’s continued focus on OT security through tools like Cyber Vision highlights the need for layered defenses in hybrid environments.
References
- “Cisco ISE Static Credential Advisory,” Cisco Security Advisory, 2025.
- “Cisco CCP Information Disclosure Advisory,” Cisco Security Advisory, 2025.
- “Cisco warns of ISE and CCP flaws with public exploit code,” BleepingComputer, 2025.
- “Breaking: Cisco Patches Severe Identity Services Engine Vulnerabilities,” LinkedIn, 2025.
