Remote Code Execution Vulnerability in Cisco ISE Products
CVE-2025-20281
Key Information:
- Vendor
Cisco
- Vendor
- CVE Published:
- 25 June 2025
Badges
What is CVE-2025-20281?
CVE-2025-20281 is a critical remote code execution vulnerability found in Cisco Identity Services Engine (ISE) products, including the ISE-PIC. Cisco ISE serves as a key component in network security, enabling organizations to manage user access and enforce policy compliance across their network infrastructure. The vulnerability arises from inadequate validation of user-supplied input in a specific API, allowing an unauthenticated attacker to send crafted requests that can execute arbitrary code with root privileges on the affected system. This poses a severe risk, as successful exploitation can lead to complete control over the device, compromising sensitive data and network integrity without needing any valid credentials.
Potential impact of CVE-2025-20281
-
Unauthorized Access to Sensitive Systems: The vulnerability allows attackers to obtain root access, enabling them to manipulate system settings, access confidential information, and install malicious software. This can lead to data breaches and significant impacts on organizational security.
-
Network Disruption and Service Downtime: By exploiting this vulnerability, attackers can disrupt critical network services, potentially leading to extended downtime for services reliant on Cisco ISE. This can affect organizational operations and erode customer trust.
-
Potential for System Compromise and Malware Distribution: With root access, attackers could deploy additional malware or create backdoors for future attacks. This increases the risk of larger-scale cyber incidents, including data theft or ransomware deployment, as the compromised system can be leveraged to infiltrate other connected devices and systems.
CISA has reported CVE-2025-20281
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-20281 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
Cisco Identity Services Engine Software 3.3.0
Cisco Identity Services Engine Software 3.3 Patch 2
Cisco Identity Services Engine Software 3.3 Patch 1
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles

Second Tea data breach exposes user chats.
PoC exploit published for maximum-severity Cisco ISE flaw. CISA warns of PaperCut vulnerability exploitation.
6 days ago
Two 10.0 Cisco ISE bugs added to CISA list of exploited vulnerabilities
Security teams should patch right away because exploiting ISE lets attackers gain full control of an enterprise network.
1 week ago
CISA Adds Three Known Exploited Vulnerabilities to Catalog | CISA
CISA has added three new vulnerabilities to its KEV Catalog, based on evidence of active exploitation
1 week ago
References
CVSS V3.1
Timeline
- 🦅
CISA Reported
- 📈
Vulnerability started trending
- 💰
Used in Ransomware
- 🟡
Public PoC available
- 📰
First article discovered by SecurityWeek
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved