Remote Code Execution Vulnerability in Cisco Identity Services Engine
CVE-2025-20337

10CRITICAL

Key Information:

Vendor: Cisco
Status: Cisco Identity Services Engine Software; Cisco Ise Passive Identity Connector
Vendor: CVE Published:; 16 July 2025

Badges

📈 Score: 1,240💰 Ransomware👾 Exploit Exists🦅 CISA Reported📰 News Worthy

What is CVE-2025-20337?

CVE-2025-20337 is a critical vulnerability found in the Cisco Identity Services Engine (ISE) and its associated Profile Identity Connector (ISE-PIC). Cisco ISE is a powerful network security policy management platform used for identity-based access control, enabling organizations to manage devices and users on their networks effectively. This vulnerability, identified in its specific API, allows unauthenticated remote attackers to execute arbitrary code on the underlying operating system. The flaw arises from insufficient validation of user-supplied inputs, meaning that an attacker can exploit this vulnerability without needing any valid credentials. This capability to gain root privileges on affected devices poses a severe risk to organizations that rely on Cisco ISE for secure access management.

Potential impact of CVE-2025-20337

Unauthorized Access and Control: The ability for attackers to execute arbitrary code as root means they could gain complete control over the affected systems. This unauthorized access can lead to manipulation of network policies, data breaches, and overall compromise of the network’s integrity.
Widespread System Vulnerability: Given that Cisco ISE is widely deployed in enterprise environments for identity and access management, the potential impact extends across numerous networks. If exploited, it could create a domino effect, allowing attackers to pivot to other devices within the network, thereby escalating the scale of the breach.
Operational Disruption: Successful exploitation of this vulnerability could lead to significant operational disruptions. Attackers may deploy malicious payloads that can alter configurations, disrupt services, or even execute ransomware, potentially leading to costly downtime and recovery efforts for affected organizations.

CISA has reported CVE-2025-20337

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-20337 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.

The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.