Remote Code Execution Vulnerability in Cisco ISE Products
CVE-2025-20281

10CRITICAL

Key Information:

Vendor

Cisco

Vendor
CVE Published:
25 June 2025

Badges

📈 Trended📈 Score: 3,200💰 Ransomware👾 Exploit Exists🟡 Public PoC🦅 CISA Reported📰 News Worthy

What is CVE-2025-20281?

CVE-2025-20281 is a critical remote code execution vulnerability found in Cisco Identity Services Engine (ISE) products, including the ISE-PIC. Cisco ISE serves as a key component in network security, enabling organizations to manage user access and enforce policy compliance across their network infrastructure. The vulnerability arises from inadequate validation of user-supplied input in a specific API, allowing an unauthenticated attacker to send crafted requests that can execute arbitrary code with root privileges on the affected system. This poses a severe risk, as successful exploitation can lead to complete control over the device, compromising sensitive data and network integrity without needing any valid credentials.

Potential impact of CVE-2025-20281

  1. Unauthorized Access to Sensitive Systems: The vulnerability allows attackers to obtain root access, enabling them to manipulate system settings, access confidential information, and install malicious software. This can lead to data breaches and significant impacts on organizational security.

  2. Network Disruption and Service Downtime: By exploiting this vulnerability, attackers can disrupt critical network services, potentially leading to extended downtime for services reliant on Cisco ISE. This can affect organizational operations and erode customer trust.

  3. Potential for System Compromise and Malware Distribution: With root access, attackers could deploy additional malware or create backdoors for future attacks. This increases the risk of larger-scale cyber incidents, including data theft or ransomware deployment, as the compromised system can be leveraged to infiltrate other connected devices and systems.

CISA has reported CVE-2025-20281

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-20281 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.

The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

Cisco Identity Services Engine Software 3.3.0

Cisco Identity Services Engine Software 3.3 Patch 2

Cisco Identity Services Engine Software 3.3 Patch 1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

News Articles

Second Tea data breach exposes user chats.

PoC exploit published for maximum-severity Cisco ISE flaw. CISA warns of PaperCut vulnerability exploitation.

6 days ago

Two 10.0 Cisco ISE bugs added to CISA list of exploited vulnerabilities

Security teams should patch right away because exploiting ISE lets attackers gain full control of an enterprise network.

1 week ago

CISA Adds Three Known Exploited Vulnerabilities to Catalog | CISA

CISA has added three new vulnerabilities to its KEV Catalog, based on evidence of active exploitation

1 week ago

References

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • 🦅

    CISA Reported

  • 📈

    Vulnerability started trending

  • 💰

    Used in Ransomware

  • 🟡

    Public PoC available

  • 📰

    First article discovered by SecurityWeek

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-20281 : Remote Code Execution Vulnerability in Cisco ISE Products