Cisco has issued an urgent security advisory regarding two critical remote code execution (RCE) vulnerabilities affecting its Identity Services Engine (ISE) and Passive Identity Connector (ISE-PIC). These flaws, rated at the maximum CVSS score of 10.0, allow unauthenticated attackers to execute arbitrary code on vulnerable systems. Security teams are advised to apply patches immediately as no workarounds exist.
Technical Details of the Vulnerabilities
The first vulnerability, tracked as CVE-2025-20281, affects ISE and ISE-PIC versions 3.3 and later. It stems from insufficient input validation in API requests, enabling unauthenticated RCE. The second flaw, CVE-2025-20282, impacts only version 3.4 and allows arbitrary file uploads that lead to RCE with root privileges. Both vulnerabilities were discovered by researchers from Trend Micro’s Zero Day Initiative (Bobby Gould) and GMO Cybersecurity (Kentaro Kawane). As of June 2025, no active exploitation has been observed, but the potential impact is severe given ISE’s role in network access control and policy enforcement.
| CVE | Affected Versions | Patch |
|---|---|---|
| CVE-2025-20281 | ISE/ISE-PIC 3.3+ | ise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gz |
| CVE-2025-20282 | ISE/ISE-PIC 3.4 only | ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz |
Detection and Mitigation Strategies
Organizations should prioritize devices exposed to untrusted networks for immediate patching. Monitoring logs for unusual API activities or unexpected file uploads is recommended as an interim detection measure. Network segmentation can help limit potential lateral movement if exploitation occurs. The Singapore Cyber Security Agency, Canadian Cyber Centre, and MS-ISAC have all issued alerts urging prompt action.
For security teams, the following steps are critical:
- Verify all ISE and ISE-PIC installations against affected versions
- Apply the relevant patches from Cisco’s security advisory
- Review API access logs for suspicious patterns
- Consider temporary network isolation for critical systems during patching
Historical Context and Future Implications
This isn’t the first time critical vulnerabilities have been found in Cisco’s ISE platform. Similar flaws in the past have been actively exploited, making prompt patching essential. The maximum severity rating reflects the potential impact on organizations using ISE for network access control and authentication. Given ISE’s widespread use in enterprise environments, these vulnerabilities could be attractive targets for advanced threat actors if left unpatched.
Cisco’s advisory provides complete technical details and patching instructions. Security teams should reference the official documentation for implementation guidance. The discovery process highlights the value of coordinated vulnerability disclosure, with researchers working through proper channels to report these critical issues.
Conclusion
These vulnerabilities represent significant risks to organizations using Cisco’s ISE platform. The combination of maximum severity ratings and the lack of workarounds makes immediate patching the only viable mitigation strategy. Security teams should treat this as a high-priority remediation effort, particularly for internet-facing systems. Continuous monitoring for exploitation attempts is advised even after patching, as threat actors may develop exploits for these vulnerabilities.
References
- “Cisco Security Advisory: Cisco Identity Services Engine Unauthenticated Remote Code Execution Vulnerabilities”, Cisco Systems, 2025.
- “NVD – CVE-2025-20281”, National Vulnerability Database, 2025.
- “Cisco warns of max severity RCE flaws in Identity Services Engine”, BleepingComputer, 2025.
