Cisco has disclosed three unauthenticated remote code execution (RCE) flaws-CVE‑2025‑20281, CVE‑2025‑20282, and CVE‑2025‑20337-affecting its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE‑PIC). Scored a CVSS 10.0, these allow attackers root‑level access without credentials. With some active exploit attempts observed, organizations worldwide and especially in the MEA region must urgently apply patches released in July 2025. Failure to act could lead to full network compromise.
What We Know – Timeline & Technical Details. Discovery & Advisory Updates
- 25 June 2025: Cisco first published advisory “cisco‑sa‑ise‑unauth‑rce‑ZAd2GnJ6”, disclosing CVE‑2025‑20281 and CVE‑2025‑20282, both critical (CVSS 10.0) due to unauthenticated root access via API abuse no credentials needed. (Cisco)
- 16 July 2025: Advisory updated to include CVE‑2025‑20337, another root‑RCE bug from the same API weaknesses. (CSO Online)
- 17 July 2025: Cisco confirmed active exploitation in the wild—marking this as an urgent emergency. (TechRadar)
Vulnerabilities Explained
- CVE‑2025‑20281 & CVE‑2025‑20337: Root RCE via insufficient input validation in ISE/ISE‑PIC API; unauthenticated attacker submits crafted requests. (Cisco)
- CVE‑2025‑20282: Root RCE by uploading malicious files due to lacking file validation, affecting release 3.4 only. (Cisco)
Alert Box: MITRE ATT&CK Mapping
- Initial Access: Exploit Public-Facing Application
- Execution: Command and Scripting Interpreter
- Impact: Inhibit System Recovery
- Privileges: Root-level on host systemMEA Impact: Why It Matters Locally
Cisco ISE is widely deployed throughout the Middle East and Africa for network access control in sectors like telecom, finance, and government. Regulatory frameworks like UAE NESA and South Africa’s RSA NISP Act mandate strict integrity controls making unpatched ISE installations a compliance and security liability.
A successful root compromise could enable adversaries to bypass network segmentation, exfiltrate data, or deploy further malware across ON‑prem environments jeopardizing critical infrastructure and private data across the MEA region.
Global Context and Similar Incidents
This crisis echoes previous widespread IAM compromises like Microsoft Exchange ProxyLogon (2021). What makes this case critical is unauthenticated root access on network policy infrastructure, highlighting a dangerous shift: adversaries no longer need internal footholds. Enterprises globally should treat this as a wake‑up call if your network uses Cisco ISE/ISE‑PIC, patch immediately.
Expert Voices
“With a CVSS 10 and active exploit code public, this is a worst‑case scenario,” warns Randolph Barr, CISO at Cequence Security, stressing the severity of unauthenticated root access. (The Hacker News, CVEFeed, CSO Online)
“Attackers are known to exploit public disclosures when patches lag,” says Ravie Lakshmanan at The Hacker News, underlining the urgency for swift patching. (The Hacker News)
Remediation and Immediate Steps
- Patch to:
- Release 3.4 Patch 2 (addresses all three CVEs)
- Release 3.3 Patch 7 (addresses 20281 & 20337); 3.3 Patch 6 users must upgrade
- Replace hot‑patches (CSCwo99449 family) only with full Patch‑7 or Patch‑2, as hot‑patches don’t cover CVE‑20337
- Apply updates promptly Cisco confirms no workarounds available
Actionable Takeaways
- Patch now: ISE/ISE‑PIC versions 3.3 and 3.4 must move to Patch 7 or 3.4 Patch 2.
- Re-scan systems using vendor-supplied or third-party pentesting tools.
- Audit exposed assets for signs of API abuse or suspicious root-level activity.
- Harden network access: use firewalls to limit access to ISE management interfaces.
- Implement IAM best practices: continuous authentication and device posture checks.
- Monitor logs: heightened API logging and alerting around ISE endpoints.
- Ensure regulatory compliance, including NESA, GDPR, and NIST frameworks.
- Engage vendor support (security services) for full patch implementation
- Review architecture: consider segmentation and redundancy to avoid single-point-of-compromise.
- Train staff on RCE threat scenarios and incident protocols (link to security training).
Conclusion
Cisco’s ISE vulnerabilities each – unauthenticated and root-capable – represent a profound threat to network security worldwide, especially in MEA infrastructures that rely on these systems. With public exploit attempts underway, defenders must patch immediately, enhance network segmentation, and enforce continuous monitoring. This incident sets a precedent: identity management cannot be assumed secure; its integrity is as critical as perimeter defense acting now can prevent widespread network collapse.
Sources
- Cisco Security Advisory cisco-sa-ise-unauth-rce-ZAd2GnJ6 (25 Jun 2025, updated 16 Jul 2025) (Cisco)
- The Hacker News (16 Jul 2025) active exploit report (The Hacker News)
- TechRepublic (21 Jul 2025) patch details (TechRepublic)
- CSO Online (18 Jul 2025) expert quote (CSO Online)
- Hacker News vulnerability breakdown (26 Jun 2025) (The Hacker News)
- CISecurity risk analysis (25 Jun 2025) (CIS)
