Reflected XSS Vulnerability in Cisco ISE Web Management Interface
CVE-2025-20304

5.4MEDIUM

Key Information:

Vendor: Cisco
Status: Cisco Identity Services Engine Software
Vendor: CVE Published:; 5 November 2025

Badges

👾 Exploit Exists

What is CVE-2025-20304?

Multiple vulnerabilities have been identified in the web-based management interface of Cisco ISE and Cisco ISE-PIC. These vulnerabilities arise from a lack of proper validation of user-supplied input, allowing an authenticated remote attacker to initiate a reflected XSS attack on users interacting with the interface. By injecting malicious code into specific web pages, the attacker can execute arbitrary scripts within the context of the affected interface or gain access to sensitive data stored in the user's browser. Exploitation necessitates that the attacker possesses at least a low-privileged account on the impacted device.

Affected Version(s)

Cisco Identity Services Engine Software 3.1.0

Cisco Identity Services Engine Software 3.1.0 p1

Cisco Identity Services Engine Software 3.1.0 p3

References

https://sec.cloudapps.cisco.com/security/center/content/C...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

👾
Exploit known to exist
Nov 5, 2025
Vulnerability published
Nov 5, 2025
Vulnerability Reserved
Oct 10, 2024

JSON