Cisco has launched updates to handle two maximum-severity safety flaws in Identification Providers Engine (ISE) and ISE Passive Identification Connector (ISE-PIC) that might allow an unauthenticated attacker to execute arbitrary instructions as the foundation consumer.
The vulnerabilities, assigned the CVE identifiers CVE-2025-20281 and CVE-2025-20282, carry a CVSS rating of 10.0 every. An outline of the defects is beneath –
- CVE-2025-20281 – An unauthenticated distant code execution vulnerability affecting Cisco ISE and ISE-PIC releases 3.3 and later that might permit an unauthenticated, distant attacker to execute arbitrary code on the underlying working system as root
- CVE-2025-20282 – An unauthenticated distant code execution vulnerability affecting Cisco ISE and ISE-PIC launch 3.4 that might permit an unauthenticated, distant attacker to add arbitrary recordsdata to an affected gadget and execute these recordsdata on the underlying working system as root
Cisco mentioned CVE-2025-20281 is the results of inadequate validation of user-supplied enter, which an attacker may exploit by sending a crafted API request to acquire elevated privileges and run instructions.
In distinction, CVE-2025-20282 stems from a scarcity of file validation checks that will in any other case forestall the uploaded recordsdata from being positioned in privileged directories.
“A profitable exploit may permit the attacker to retailer malicious recordsdata on the affected system after which execute arbitrary code or acquire root privileges on the system,” Cisco mentioned.
The networking gear vendor mentioned there are not any workarounds that tackle the problems. The shortcomings have been addressed within the beneath variations –
- CVE-2025-20281 – Cisco ISE or ISE-PIC 3.3 Patch 6 (ise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gz), 3.4 Patch 2 (ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz)
- CVE-2025-20282 – Cisco ISE or ISE-PIC 3.4 Patch 2 (ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz)
The corporate credited Bobby Gould of Development Micro Zero Day Initiative and Kentaro Kawane of GMO Cybersecurity for reporting CVE-2025-20281. Kawane, who beforehand reported CVE-2025-20286 (CVSS rating: 9.9), has additionally been acknowledged for reporting CVE-2025-20282.
Whereas there isn’t any proof that the vulnerabilities have been exploited within the wild, it is important that customers transfer rapidly to use the fixes to safeguard in opposition to potential threats.
