Arbitrary File Upload Vulnerability in Cisco ISE and ISE-PIC
CVE-2025-20282

10CRITICAL

Key Information:

Vendor

Cisco

Vendor
CVE Published:
25 June 2025

Badges

👾 Exploit Exists📰 News Worthy

What is CVE-2025-20282?

A vulnerability exists in an internal API of Cisco ISE and Cisco ISE-PIC that enables unauthenticated remote attackers to upload arbitrary files to the system. This oversight is caused by insufficient validation checks during the file upload process, allowing malicious files to be placed in privileged directories. An attacker exploiting this vulnerability can execute these files, thereby gaining root-level access to the system and potentially compromising its integrity.

Affected Version(s)

Cisco Identity Services Engine Software 3.4.0

Cisco Identity Services Engine Software 3.4 Patch 1

News Articles

Critical Vulnerabilities in Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC)

Cisco has released security updates addressing multiple critical vulnerabilities in their ISE and ISE-PIC. Users and administrators of affected products are…

2 weeks ago

Critical Vulnerabilities in Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC)

Cisco has released security updates addressing multiple critical vulnerabilities in their ISE and ISE-PIC. Users and administrators of affected products are…

3 weeks ago

Cisco fixes two critical make-me-root bugs

Cisco has dropped patches for a pair of critical vulnerabilities that could allow unauthenticated remote attackers to execute code on vulnerable systems. Tracked as CVE-2025-20281 and CVE-2025-20282, Cisco...

3 weeks ago

References

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • 📰

    First article discovered by SecurityWeek

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-20282 : Arbitrary File Upload Vulnerability in Cisco ISE and ISE-PIC