CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2025-20281

CVSS 10.0v3.1pub. 2025-06-25upd. 2025-10-28

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this vulnerability. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device.

🤖 AI Analysis
How it works

The vulnerability stems from insufficient validation of user-supplied data to a specific API endpoint (CWE-74 — injection). The attacker sends a specially crafted request to the exposed API without requiring authentication. The improperly processed payload allows injection and execution of arbitrary code directly in the context of the device's operating system.

Impact

Successful exploitation of the vulnerability grants the attacker full root privileges on the targeted device, meaning complete system takeover, the ability to read and modify all data (including identity configurations and access policies), and potential lateral movement in the organization's network infrastructure.

Mitigation & patch

Patches from the manufacturer must be applied immediately in accordance with the official Cisco Security Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6. Until the patch is implemented, it is recommended to restrict access to the Cisco ISE API only to trusted hosts at the firewall/ACL level and to continuously monitor logs for unexpected API requests.

Who is affected

Cisco Identity Services Engine (ISE) and Cisco Identity Services Engine Passive Identity Connector (ISE-PIC) — specific versions indicated in manufacturer references (Cisco Security Advisory cisco-sa-ise-unauth-rce-ZAd2GnJ6)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Cisco Identity Services Engine

    APP
    Cisco
    3.3.03.4.0
  • Cisco Identity Services Engine Passive Identity Connector

    APP
    Cisco
    3.3.03.4.0

CISA KEV — detailsi

Vendori
Cisco
Producti
Identity Services Engine
Added to KEVi
July 28, 2025
Remediation deadline (US Federal)i
August 18, 2025(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Cisco Identity Services Engine contains an injection vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC due to insufficient validation of user-supplied input allowing an attacker to exploit this vulnerability by submitting a crafted API request. Successful exploitation could allow an attacker to perform remote code execution and obtaining root privileges on an affected device.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 18 sierpnia 2025
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2025-20337CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Nieuwierzytelniony RCE jako root w Cisco ISE i ISE-PIC poprzez API

CVE-2026-20181CRITICAL9.1ten sam produkt

A vulnerability in Cisco ISE and ISE-PIC could allow an authenticated, remote attacker to execute arbitrary co...

CVE-2026-20186CRITICAL9.9PL ✓ten sam produkt

RCE w Cisco ISE — eskalacja uprawnień do root przez HTTP

CVE-2025-20282CRITICAL10.0PL ✓ten sam produkt

Nieautoryzowany RCE jako root w Cisco ISE i ISE-PIC

CVE-2025-20286CRITICAL9.9PL ✓ten sam produkt

Cisco ISE w chmurze: współdzielone statyczne poświadczenia umożliwiają nieautoryzowany dostęp