Remote Code Execution Vulnerability in Cisco ISE Products
CVE-2025-20281

10CRITICAL

Key Information:

Vendor: Cisco
Status: Cisco Identity Services Engine Software
Vendor: CVE Published:; 25 June 2025

Badges

📈 Trended📈 Score: 3,200💰 Ransomware👾 Exploit Exists🟡 Public PoC📰 News Worthy

What is CVE-2025-20281?

CVE-2025-20281 is a critical remote code execution vulnerability found in Cisco Identity Services Engine (ISE) products, including the ISE-PIC. Cisco ISE serves as a key component in network security, enabling organizations to manage user access and enforce policy compliance across their network infrastructure. The vulnerability arises from inadequate validation of user-supplied input in a specific API, allowing an unauthenticated attacker to send crafted requests that can execute arbitrary code with root privileges on the affected system. This poses a severe risk, as successful exploitation can lead to complete control over the device, compromising sensitive data and network integrity without needing any valid credentials.

Potential impact of CVE-2025-20281

Unauthorized Access to Sensitive Systems: The vulnerability allows attackers to obtain root access, enabling them to manipulate system settings, access confidential information, and install malicious software. This can lead to data breaches and significant impacts on organizational security.
Network Disruption and Service Downtime: By exploiting this vulnerability, attackers can disrupt critical network services, potentially leading to extended downtime for services reliant on Cisco ISE. This can affect organizational operations and erode customer trust.
Potential for System Compromise and Malware Distribution: With root access, attackers could deploy additional malware or create backdoors for future attacks. This increases the risk of larger-scale cyber incidents, including data theft or ransomware deployment, as the compromised system can be leveraged to infiltrate other connected devices and systems.

Affected Version(s)

Cisco Identity Services Engine Software 3.3.0

Cisco Identity Services Engine Software 3.3 Patch 2

Cisco Identity Services Engine Software 3.3 Patch 1

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-20281-2-Citrix-ISE-RCE
Created by abrewer251

News Articles

Cyber Security Agency of Singapore

CVE-2025-20281 CVE-2025-20282

Critical Vulnerabilities in Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC)

Cisco has released security updates addressing multiple critical vulnerabilities in their ISE and ISE-PIC. Users and administrators of affected products are…

2 weeks ago

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

📈
Vulnerability started trending
Jul 1, 2025
💰
Used in Ransomware
Jun 30, 2025
🟡
Public PoC available
Jun 28, 2025
📰
First article discovered by SecurityWeek
Jun 26, 2025
👾
Exploit known to exist
Jun 25, 2025
Vulnerability published
Jun 25, 2025
Vulnerability Reserved
Oct 10, 2024