Severe Cisco ISE Authentication Bypass Vulnerability Affects Cloud Deployments on AWS, Azure, and OCI

Cisco has released critical security patches to address a significant vulnerability in the Identity Services Engine (ISE). If exploited, this flaw could enable unauthenticated attackers to perform malicious actions on vulnerable systems.

The vulnerability, identified as CVE-2025-20286, has been assigned a CVSS score of 9.9 out of 10.0 and is categorized as a static credential vulnerability.

The advisory from Cisco details that this vulnerability affects cloud deployments of Cisco ISE on Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI). An unauthenticated remote attacker could gain access to sensitive data, execute limited administrative actions, alter system configurations, or disrupt services on impacted systems.

Cisco acknowledges the contribution of Kentaro Kawane from GMO Cybersecurity for identifying this vulnerability and has confirmed the existence of a proof-of-concept exploit; however, there is no evidence of its active exploitation in the wild.

The root cause of this vulnerability lies in the inadequate generation of credentials during Cisco ISE deployments on cloud platforms. This flaw permits multiple deployments to share identical credentials, contingent on being on the same software release and cloud platform.

In simpler terms, while the static credentials are release and platform-specific, they may not be valid across different platforms. To illustrate, all instances of Cisco ISE release 3.1 on AWS will share the same static credentials, but credentials from a 3.1 deployment won’t be applicable to a release 3.2 deployment on the same platform, nor will release 3.2 on AWS have the same credentials as release 3.2 on Azure.

Exploitation of this vulnerability allows attackers to extract user credentials from the Cisco ISE deployments in the cloud and gain unauthorized access to Cisco ISE instances in other cloud environments via unsecured ports.

This could lead to unauthorized access to sensitive information, the execution of administrative actions, changes to system configurations, and potential service interruptions. Importantly, Cisco ISE is only affected when the Primary Administration node is deployed in the cloud; on-premises nodes remain unaffected.

The following versions are impacted:

• AWS – Cisco ISE versions 3.1, 3.2, 3.3, and 3.4
• Azure – Cisco ISE versions 3.2, 3.3, and 3.4
• OCI – Cisco ISE versions 3.2, 3.3, and 3.4

Although there are no effective workarounds for CVE-2025-20286, Cisco recommends that users limit traffic to authorized administrators or execute the “application reset-config ise” command to reset user passwords. It is essential to note that this command will revert Cisco ISE to its factory configuration.