A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this vulnerability. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device.
The vulnerability results from insufficient validation of user-supplied data in a specific product API interface (CWE-74 — injection). An attacker can submit a specially crafted request to the vulnerable API without needing authentication. Successful exploitation of the vulnerability leads to arbitrary code execution at the operating system level with root privileges.
The attacker gains full control over the device's operating system with root privileges, enabling arbitrary modification of configuration, theft of credentials and sensitive information stored by Cisco ISE, as well as further lateral movement in the network.
Patches available from the manufacturer should be applied immediately in accordance with the references — detailed information about vulnerable and patched versions is contained in the Cisco Security Advisory cisco-sa-ise-unauth-rce-ZAd2GnJ6. Until the patch is deployed, it is recommended to restrict access to Cisco ISE API interfaces exclusively to trusted hosts and to monitor network traffic for suspicious API requests.
Cisco Identity Services Engine (ISE) and Cisco Identity Services Engine Passive Identity Connector (ISE-PIC) — specific versions indicated in the manufacturer's references (Cisco Security Advisory cisco-sa-ise-unauth-rce-ZAd2GnJ6)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HCisco Identity Services Engine
APPCisco3.3.03.4.0Cisco Identity Services Engine Passive Identity Connector
APPCisco3.3.03.4.0
CISA KEV — detailsi
- Vendori
- Cisco ↗
- Producti
- Identity Services Engine
- Added to KEVi
- July 28, 2025
- Remediation deadline (US Federal)i
- August 18, 2025(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Cisco Identity Services Engine contains an injection vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC due to insufficient validation of user-supplied input allowing an attacker to exploit this vulnerability by submitting a crafted API request. Successful exploitation could allow an attacker to perform remote code execution and obtaining root privileges on an affected device.
Related vulnerabilities
Cisco ISE / ISE-PIC — nieuwierzytelniony RCE przez API jako root
A vulnerability in Cisco ISE and ISE-PIC could allow an authenticated, remote attacker to execute arbitrary co...
RCE w Cisco ISE — eskalacja uprawnień do root przez HTTP
Nieautoryzowany RCE jako root w Cisco ISE i ISE-PIC
Cisco ISE w chmurze: współdzielone statyczne poświadczenia umożliwiają nieautoryzowany dostęp