Cisco Issues Urgent Alert on Critical RCE Vulnerabilities in Identity Services Engine

Cisco has issued a security advisory regarding two critical, unauthenticated remote code execution (RCE) vulnerabilities affecting the Cisco Identity Services Engine (ISE) and the Passive Identity Connector (ISE-PIC).

The vulnerabilities, identified as CVE-2025-20281 and CVE-2025-20282, have a maximum severity rating, with a Common Vulnerability Scoring System (CVSS) score of 10.0. The first vulnerability affects versions 3.4 and 3.3 of ISE and ISE-PIC, while the second is limited to version 3.4.

CVE-2025-20281 arises from insufficient validation of user-supplied input in a publicly exposed API, enabling an unauthorized remote attacker to construct a malicious API request that executes arbitrary operating system commands as the root user.

CVE-2025-20282 is due to inadequate file validation in an internal API, permitting the writing of files to sensitive directories. This flaw allows unauthorized remote attackers to upload files to the system, executing them with root privileges.

Cisco’s Identity Services Engine is a critical network security policy management platform, commonly utilized by large enterprises, governmental bodies, educational institutions, and service providers for network access control, identity management, and policy enforcement.

The vulnerabilities pose a significant risk, potentially allowing complete compromise of the affected devices without any need for authentication or user intervention.

Cisco has confirmed that there have been no reported instances of active exploitation of these vulnerabilities. However, it strongly advises users to prioritize installation of the available updates.

Users should upgrade to 3.3 Patch 6 (ise-apply-CSCwo99449_3.3.0.430_patch4) and 3.4 Patch 2 (ise-apply-CSCwo99449_3.4.0.608_patch1) or later versions, as there are currently no workarounds for these vulnerabilities.

In addition, Cisco has released a separate advisory concerning a medium-severity authentication bypass vulnerability, tracked as CVE-2025-20264, which also affects ISE. This issue results from inadequate enforcement of authorization for users created via SAML SSO integration with external identity providers. An attacker possessing valid SSO-authenticated credentials can execute specific commands to alter system settings or initiate a system restart.

CVE-2025-20264 impacts all ISE versions up to the 3.4 branch, with fixes included in 3.4 Patch 2 and 3.3 Patch 5. A resolution for version 3.2 is expected with the release of Patch 8, scheduled for November 2025.

Users utilizing ISE version 3.1 or earlier are advised to migrate to a supported version, as those earlier versions are no longer actively maintained.