Cisco Customer Guidance for ISE and ISE-PIC vulnerabilities

Multiple vulnerabilities in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an unauthenticated, remote attacker to issue commands on the underlying operating system as the root user. Cisco has released software updates that address these vulnerabilities. Read the recommendations compiled from Cisco’s security advisory page.

The following was taken directly from Cisco’s security advisory page:

Summary

Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.

Note: Since the publication of version 1.0 of this advisory, improved fixed releases have become available. Cisco recommends upgrading to an enhanced fixed release as follows:

If Cisco ISE is running Release 3.4 Patch 2, no further action is necessary.
If Cisco ISE is running Release 3.3 Patch 6, additional fixes are available in Release 3.3 Patch 7, and the device must be upgraded.
If Cisco ISE has either hot patch ise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gz or hot patch ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz installed, Cisco recommends upgrading to Release 3.3 Patch 7 or Release 3.4 Patch 2.The hot patches did not address CVE-2025-20337 and have been deferred from CCO.

Affected Products

Vulnerable Products

CVE-2025-20281 and CVE-2025-20337: These vulnerabilities affect Cisco ISE and ISE-PIC releases 3.3 and 3.4, regardless of device configuration. These vulnerabilities do not affect Cisco ISE and ISE-PIC Release 3.2 or earlier.
CVE-2025-20282: This vulnerability affects only Cisco ISE and ISE-PIC Release 3.4, regardless of device configuration. This vulnerability does not affect Cisco ISE and ISE-PIC Release 3.3 or earlier.

Details

The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit another vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerabilities.

Details about the vulnerabilities are as follows:

CVE-2025-20281 and CVE-2025-20337: Cisco ISE API Unauthenticated Remote Code Execution Vulnerabilities

Multiple vulnerabilities in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit these vulnerabilities.

These vulnerabilities are due to insufficient validation of user-supplied input. An attacker could exploit these vulnerabilities by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device.

Cisco has released software updates that address these vulnerabilities.

Bug ID(s): CSCwo99449 and CSCwp02814
CVE ID: CVE-2025-20281, CVE-2025-20337
Security Impact Rating (SIR): Critical
CVSS Base Score: 10.0
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2025-20282: Cisco ISE API Unauthenticated Remote Code Execution Vulnerability

A vulnerability in an internal API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device and then execute those files on the underlying operating system as root.

This vulnerability is due to a lack of file validation checks that would prevent uploaded files from being placed in privileged directories on an affected system. An attacker could exploit this vulnerability by uploading a crafted file to the affected device. A successful exploit could allow the attacker to store malicious files on the affected system and then execute arbitrary code or obtain root privileges on the system.

Cisco has released software updates that address this vulnerability.

Bug ID(s): CSCwp02821
CVE ID: CVE-2025-20282
Security Impact Rating (SIR): Critical
CVSS Base Score: 10.0
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Workarounds

There are no workarounds that address these vulnerabilities.

Fixed Releases

Customers are advised to upgrade to an appropriate fixed software release as indicated in the following table.

Note: Since the publication of version 1.0 of this advisory, improved fixed releases have become available. Cisco recommends upgrading to an enhanced fixed release as follows:

If Cisco ISE is running Release 3.4 Patch 2, no further action is necessary.
If Cisco ISE is running Release 3.3 Patch 6, additional fixes are available in Release 3.3 Patch 7, and the device must be upgraded.
If Cisco ISE has either hot patch ise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gz or hot patch ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz installed, Cisco recommends upgrading to Release 3.3 Patch 7 or Release 3.4 Patch 2.The hot patches did not address CVE-2025-20337 and have been deferred from CCO.

Cisco ISE or ISE-PIC Release 3.2 and earlier

First Fixed Release for CVE-2025-20281 Not vulnerable

First Fixed Release for CVE-2025-20282 Not vulnerable

First Fixed Release for CVE-2025-20337 Not vulnerable

Cisco ISE or ISE-PIC Release 3.3

First Fixed Release for CVE-2025-20281 3.3 Patch 7

First Fixed Release for CVE-2025-20282 Not vulnerable

First Fixed Release for CVE-2025-20337 3.3 Patch 7

Cisco ISE or ISE-PIC Release 3.4

First Fixed Release for CVE-2025-20281 3.4 Patch 2

First Fixed Release for CVE-2025-20282 3.4 Patch 2

First Fixed Release for CVE-2025-20337 3.4 Patch 2

For instructions on upgrading a device, see the Upgrade Guides on the Cisco Identity Service Engine support page.

The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.

URL
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6

DefenseStorm Response

DefenseStorm is recommending everyone who uses Cisco Identity Services Engine to review Cisco’s advisory and evaluate whether your environment is vulnerable. If so, apply the recommended mitigations immediately.
DefenseStorm is recommending everyone who uses Cisco Identity Services Engine to watch for anomalous API activity or unauthorized file uploads.
DefenseStorm always recommends applying any changes in accordance with your existing internal policies and change controls.
Please bookmark https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6

SharePoint Vulnerability CVE-2025-53770.

Desrah Kraft

Cyber Threat Intelligence Engineer

Desrah Kraft is a Cyber Threat Intelligence Engineer at DefenseStorm. For the past three years, she has played a vital role in leading and contributing to various Incident Response efforts. Before transitioning into cybersecurity, Desrah obtained a bachelor’s degree from Mitchell College and worked for 7 years in law enforcement. This experience helped her cultivate a comprehensive understanding of security principles and investigative practices. An accomplished cybersecurity professional with 4 years of hands-on experience in analyzing malware and extensive expertise in safeguarding digital landscapes against malicious threats, Desrah possesses an unparalleled ability to dissect complex cyber threats, identify their origins, and implement effective countermeasures. Additionally, she holds multiple MITRE certifications, which demonstrate her mastery of advanced threat detection and mitigation techniques. Recognized for her keen eye for anomalies and proactive approach, Desrah excels in Endpoint Detection and Response (EDR), enabling rapid identification, investigation, and containment of potential breaches. Committed to continuous growth and learning, Desrah remains at the forefront of cybersecurity, dedicated to fortifying digital infrastructures and inspiring others in the field.