Cisco on Monday up to date its advisory of a set of lately disclosed security flaws in Id Companies Engine (ISE) and ISE Passive Id Connector (ISE-PIC) to acknowledge lively exploitation.
“In July 2025, the Cisco PSIRT [Product Security Incident Response Team], turned conscious of tried exploitation of a few of these vulnerabilities within the wild,” the corporate mentioned in an alert.
The community gear vendor didn’t disclose which vulnerabilities have been weaponized in real-world assaults, the identification of the risk actors exploiting them, or the dimensions of the exercise.
Cisco ISE performs a central position in community entry management, managing which customers and gadgets are allowed onto company networks and beneath what situations. A compromise at this layer may give attackers unrestricted entry to inner techniques, bypassing authentication controls and logging mechanisms—turning a coverage engine into an open door.
The vulnerabilities outlined within the alert are all critical-rated bugs (CVSS scores: 10.0) that would permit an unauthenticated, distant attacker to challenge instructions on the underlying working system as the foundation person –
- CVE-2025-20281 and CVE-2025-20337 – A number of vulnerabilities in a particular API that would permit an unauthenticated, distant attacker to execute arbitrary code on the underlying working system as root
- CVE-2025-20282 – A vulnerability in an inner API that would permit an unauthenticated, distant attacker to add arbitrary recordsdata to an affected gadget after which execute these recordsdata on the underlying working system as root
Whereas the primary two flaws are the results of inadequate validation of user-supplied enter, the latter stems from a scarcity of file validation checks that will stop uploaded recordsdata from being positioned in privileged directories on an affected system.
In consequence, an attacker may leverage these shortcomings by submitting a crafted API request (for CVE-2025-20281 and CVE-2025-20337) or importing a crafted file to the affected gadget (for CVE-2025-20282).
In mild of lively exploitation, it is important that prospects improve to a hard and fast software program launch as quickly as doable to remediate these vulnerabilities. These flaws are exploitable remotely with out authentication, inserting unpatched techniques at excessive threat of pre-auth distant code execution—a top-tier concern for defenders managing important infrastructure or compliance-driven environments.
Safety groups also needs to assessment system logs for suspicious API exercise or unauthorized file uploads, particularly in externally uncovered deployments.
