Cisco has released urgent security fixes for two vulnerabilities affecting its Identity Services Engine (ISE) and Passive Identity Connector (ISE-PIC). Both flaws, CVE-2025-20281 and CVE-2025-20282, carry a CVSS severity rating of 10.0.
Through this exploit, an attacker could gain root access to systems that control identity and access management. Access would enable lateral movement, privilege elevation, and persistence for an extended duration.
These two vulnerabilities are unrelated but as severe as each other. Both affect different API elements in ISE releases 3.3 and 3.4. (CVE-2025-20281 affects ISE and ISE-PIC releases 3.3 and later, while CVE-2025-20282 affects version 3.4 alone.) Cisco is recommending customers upgrade to fixed software patches as soon as possible because there are no workarounds.
Root Access, No Credentials Required
The first flaw, CVE-2025-20281, exists in a specific API of Cisco ISE and ISE-PIC. It allows remote, unauthenticated actors to run commands as root on the underlying system. The attack needs no user credentials. The vulnerability stems from insufficient input validation, and a carefully crafted API request is all it needs.
The second, CVE-2025-20282, affects an internal API. It lets bad actors upload malicious files to privileged directories on the system. Once uploaded, these files can be executed with root privileges. Again, no credentials are needed.
These flaws affect all deployments of ISE and ISE-PIC versions 3.3 and 3.4, regardless of configuration. (Note: CVE-2025-20282 only affects version 3.4.) Earlier versions (3.2 and below) are not impacted.
No Known Exploitation, But No Time to Waste
Cisco’s Product Security Incident Response Team (PSIRT) says it has seen no evidence of the flaws being exploited in the wild. There have also been no public disclosures so far. But given the nature of the vulnerabilities, full remote code execution as root without authentication, the risk is significant.
Patches are available for both vulnerabilities. For version 3.3, customers should apply Patch 6 or later. For version 3.4, Patch 2 includes fixes for both issues. Cisco’s advisory includes detailed links and upgrade instructions.
As always, customers are reminded that free security updates are available only for licensed software. Those without a current support contract can request access to patches by contacting the Cisco Technical Assistance Center (TAC), providing their device serial number and a link to the advisory.
No Easy Fix Without a Patch
Cisco says there is no alternative to mitigation other than through official software patching. Network operations teams running vulnerable versions must take action now. Bad actors wouldn’t need legitimate credentials, internal access or physical presence, just internet access and knowledge of the API endpoints.
The vulnerabilities were responsibly disclosed through Trend Micro’s Zero Day Initiative. CVE-2025-20281 was discovered by Bobby Gould from Trend Micro and Kentaro Kawane of GMO Cybersecurity by Ierae. CVE-2025-20282 was reported by Kawane alone.
This advisory is part of broader trend of threat actors targeting authentication infrastructure and identity platforms. As these systems sit at the heart of enterprise security, the appeal for criminals (and the impact of a compromise) continues to surge.
The Profound Impact of Security Flaws
Eric Schwake, Director of Cybersecurity Strategy at Salt Security, says this disclosure highlights the profound impact that security flaws in foundational network management platforms can have.
“These flaws, caused by issues such as inadequate input validation in exposed APIs and poor file validation in internal APIs, demonstrate how unauthenticated access to critical functions can lead to complete system compromise. For large enterprises, government agencies, and service providers that depend on this core infrastructure, these findings underscore the urgent need to apply patches promptly.”
More generally, Shwake says this situation underscores the critical importance of comprehensive API posture governance, ensuring that all APIs in key systems, whether public or internal, are regularly evaluated for vulnerabilities and secured against potential threats.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.