Severe Remote Code Execution Vulnerabilities in Cisco ISE and ISE-PIC Enable Unauthenticated Access to Root Privileges
Cisco has released updates to address two critical-severity security vulnerabilities in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC), which could allow unauthenticated attackers to execute arbitrary commands with root privileges.
The vulnerabilities, tracked as CVE-2025-20281 and CVE-2025-20282, both carry a CVSS score of 10.0. The detailed descriptions of these vulnerabilities are as follows:
-
CVE-2025-20281: This unauthenticated remote code execution vulnerability affects Cisco ISE and ISE-PIC versions 3.3 and later. It could enable an unauthenticated remote attacker to execute arbitrary code on the underlying operating system with root privileges.
-
CVE-2025-20282: This vulnerability, impacting Cisco ISE and ISE-PIC release 3.4, allows an unauthenticated remote attacker to upload arbitrary files to an affected device and execute those files on the underlying operating system with root privileges.
CVE-2025-20281 arises from insufficient validation of user-supplied input. An attacker can exploit this by sending a crafted API request, gaining elevated privileges to execute commands. Conversely, CVE-2025-20282 results from inadequate file validation checks, which fail to prevent uploaded files from being saved in privileged directories. A successful exploit could allow attackers to store malicious files on the affected system, leading to the execution of arbitrary code or obtaining root access.
Cisco has indicated that no workarounds are available to mitigate these vulnerabilities. The issues have been resolved in the following firmware versions:
- CVE-2025-20281: Fixed in Cisco ISE or ISE-PIC 3.3 Patch 6 and 3.4 Patch 2.
- CVE-2025-20282: Fixed in Cisco ISE or ISE-PIC 3.4 Patch 2.
The identification of CVE-2025-20281 is credited to Bobby Gould of Trend Micro Zero Day Initiative, along with Kentaro Kawane of GMO Cybersecurity. Kawane has also been recognized for reporting CVE-2025-20282.
While there is currently no evidence of these vulnerabilities being exploited in the wild, it is imperative for users to apply the available patches promptly to protect against potential risks.