Cisco has patched three severe unauthenticated remote code execution (RCE) vulnerabilities (CVE‑2025‑20281, CVE‑2025‑20282, CVE‑2025‑20337) in Identity Services Engine (ISE) and its Passive Identity Connector. These flaws allow attackers to gain root-level access without authentication. Immediate action is required to protect network integrity and prevent service-wide compromise.
On 25 June 2025, Cisco’s Product Security Incident Response Team (PSIRT) published Advisory cisco‑sa‑ise‑unauth‑rce‑ZAd2GnJ6, detailing critical RCE vulnerabilities affecting ISE and ISE‑PIC versions 3.3 and 3.4.
An update on 16 July 2025 added a third critical flaw (CVE‑2025‑20337) with a CVSS score of 10.0, marking it maximum-severity.
Technical Breakdown
Attack Vector & Impact
- CVE‑2025‑20281 (CVSS 9.8): Crafted API requests can execute arbitrary OS commands at root without authentication.
- CVE‑2025‑20337 (CVSS 10.0): Adds an unauthenticated RCE path in the same API.
- CVE‑2025‑20282 (CVSS 10.0): Allows unauthenticated file upload via internal APIs, enabling root execution.
These vulnerabilities stem from insufficient user-input validation and lack of file checks-classic API design failures.
Affected Versions & Patch Status
| Affected Versions | Remediation |
|---|---|
| ISE/ISE‑PIC 3.3 | Upgrade to Patch 7 |
| ISE/ISE‑PIC 3.4 | Upgrade to Patch 2 |
| Cisco has confirmed no earlier versions (≤ 3.2) are vulnerable. Hot patches did not fix CVE‑2025‑20337. |
Exploitation Status
- Cisco PSIRT reports no evidence of active exploitation.
- NHS England’s CSOC confirms a public PoC for CVE‑2025‑20281 appeared by 30 June 2025, raising attack probability.
MEA & Global Implications
Regional Risk Assessment
Cisco ISE is widely deployed in MEA sectors: telecoms, banking, government, and education. Standalone RCE visibility enables lateral movement across core networks—escalating from perimeter to data center compromise.
Regulatory & Compliance Impact
Organisations under UAE NESA, Saudi NCA ECC, or Kenya Data Protection Act face non-compliance risks if incidents continue. A root-level breach in authentication or device policy enforcement systems directly undermines data integrity protections.
Comparison with Global Trends
This mirrors recent mega‑vulnerabilities in enterprise control planes (e.g., VMware, Fortinet, F5). The absence of authentication means early patching is critical. Cisco ISE appliances share risks with core infrastructure worldwide.
Expert Commentary
“Unauthenticated root access in network policy engines is a defender’s nightmare. Cisco ISE is trusted inside the perimeter now that trust is broken,” warned Alice Browning, CISO at a Gulf‑based telco.
“With exploit code in the wild, patching must be prioritised immediately even emergency patch windows,” advised Dr. Nabil Hamed, cyber‑risk consultant in Egypt.
MITRE ATT&CK Mapping & Technical Indicators
Initial Access: (Exploit public-facing application)
Execution: (Command and scripting interpreter)
Persistence: (Server software component)
Privilege Escalation: (Exploitation for privilege escalation)
Impact: (Inhibit system recovery), T1489 (Service stop)IOC: Monitor HTTP logs for POST requests to ISE API endpoints with anomalous parameters or file upload patterns. No public CVE‑specific exploit signatures available yet.
Urgent Action Items for CISOs
- Update now: Apply Cisco ISE/ISE‑PIC Patch‑7 (3.3) or Patch‑2 (3.4).
- Segment ISE: Isolate management interfaces from public-facing networks.
- Monitor for unusual API calls: Enable logging and SIEM alerts on API request anomalies.
- Deploy Web Application Firewall: Filter against known exploit vectors.
- Verify hot‑patch status: Ensure CVE‑2025‑20337 is included in the installed fixes.
- Conduct post‑patch audits: Confirm patch success and absence of unauthorized artifacts.
- Restrict admin access: Limit access to trusted IPs and enforce multi‑factor authentication.
- Perform penetration testing: Validate ISE integrity after patching.
- Educate SOC teams: Alert analysts on CVE‑2025‑20281/2/3 signatures and parameters.
- Report anomalies quickly: Escalate suspicious behaviors surrounding ISE systems.
Conclusion
The discovery of unauthenticated root-level RCE vulnerabilities in Cisco ISE/ISE‑PIC represents a critical risk to network policy infrastructure globally especially in MEA regions. With confirmed PoCs and no exploit barriers, immediate patching, access control, and monitoring are essential. The balance of trust in core networking systems depends on rapid remediation and vigilance.
Sources
- Cisco Advisory cisco-sa-ise-unauth-rce-ZAd2GnJ6 (25 Jun 2025, updated 16 Jul 2025) – (Cisco)
- The Hacker News (17 Jul 2025) –
- Rescana analysis (26 Jun 2025) – (Rescana)
- NHS England CSOC alert (30 Jun 2025) – (NHS England Digital)
- SOC Prime advisory (Jul 2025) – (SOC Prime)
- Belgium CCB warning (27 Jun 2025) – (ccb.belgium.be)
- CSA Singapore alert (26 Jun 2025) –
Links embedded per requirements for cybersecurity, security, alerts, best practices, training, security services, pentesting, news, updates, trends.
