Top-rated root vulnerabilities threaten Cisco Identity Services Engine

Certain versions of Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) are vulnerable. After successful attacks, attackers can gain full control over systems.

Malicious code gaps

Administrators use ISE to control network access by company employees, among other things. The application is therefore used at a central point in companies, where attacks can really hurt. Admins should therefore act quickly and install the security patches ISE/ISE-PIC 3.3 Patch 6 or 3.4 Patch 2. ISE versions up to and including 3.2 are not at risk.

According to a warning message, both vulnerabilities (CVE-2025-20281, CVE-2025-20282) are classified with the threat level “critical” and the highest possible CVSS score 10 out of 10. In both cases, remote attackers can exploit the vulnerabilities without authentication.

Due to insufficient checks, attackers can execute malicious code with root privileges via prepared API requests or by uploading manipulated files. It can be assumed that instances are completely compromised after successful attacks. Cisco states that there are no indications of attacks to date.

Further danger

The developers at Cisco have also closed another security gap(CVE-2025-20264 “medium”) in ISE. Due to errors in the SAML SSO implementation in the context of external identity providers, remote but authenticated attackers can use certain commands to exploit the vulnerability. If attacks are successful, they can bend system settings. The following ISE editions are equipped against this: 3.2P8 (Nov 2025), 3.3P5 and 3.4P2.

(des)