Cisco is warning enterprise admins of two vital flaws inside its identification and administration (IAM) answer, Id Providers Engine (ISE), that might enable attackers to acquire unauthorized privileges and run arbitrary instructions on affected techniques.
Tracked as CVE-2025-20124 and CVE-2025-20125, the issues have obtained a vital severity ranking of CVSS 9.9 and 9.1 out of 10, respectively.
“A number of vulnerabilities in Cisco ISE may enable an authenticated, distant attacker to execute arbitrary instructions and elevate privileges on an affected system,” Cisco mentioned in an advisory.
Important severity scores have been assigned to the issues regardless of the necessity for the attacker to first acquire admin credentials earlier than they may try exploitation. “To use these vulnerabilities, the attacker should have legitimate read-only administrative credentials,” Cisco mentioned. “Any administrative consumer can be utilized to take advantage of these vulnerabilities.”
Affected APIs endure deserialization and authorization flaws
In response to the advisory, an API of Cisco ISE is vulnerable to insecure deserialization of user-supplied Java byte streams. A menace actor may exploit this by sending crafted serialized Java object to the affected API.
The vulnerability, CVE-2025-20124, “may enable an authenticated distant attacker to execute arbitrary instructions as the foundation consumer on an affected system.” Profitable exploitation of the vulnerability, which requires attackers to have legitimate read-only credentials, will end in arbitrary code execution and elevated privileges.
An API of Cisco ISE, which Cisco didn’t affirm to be the identical because the one affected by CVE-2025-20124, may enable attackers with the identical admin credentials to acquire delicate info, change node configurations, and restart the node.
“This vulnerability (CVE-2025-20125) is because of a scarcity of authorization in a selected API and improper validation of user-supplied information,” Cisco added. “An attacker may exploit this vulnerability by sending a crafted HTTP request to a selected API on the system.”
Roy Akerman, VP of Id Safety Technique at Silverfort finds this flaw significantly harmful for its capacity to trigger identity-based assaults.
In a remark to CSO, he mentioned, “The vulnerability permits an attacker to bypass authentication and acquire privileged entry, enabling lateral motion throughout the community, which is harmful. The individuality of this flaw lies in its potential to bypass identity-based security controls, making conventional defenses like passwords and fundamental authentication inadequate.”
A repair is on the market, no matter service contracts
The vulnerabilities affect Cisco ISE and Cisco Passive Id Connector (ISE-PIC) home equipment, no matter system configuration, the corporate added. All variations earlier than v3.4, which isn’t impacted, are provided a repair.
Fixes can be found as per affected variations, together with 3.1P10 for 3.1, 3.2p7 for 3.2, and three.3p4 for 3.3. For customers working model 3.0 and earlier, Cisco beneficial migrating to a set launch. As the issues have an effect on all configurations, and no workaround is on the market for cover, fixing the affected techniques is the one approach out of exploitation.
Cisco mentioned within the advisory that prospects with service contracts that entitle common updates will get the fixes as ordinary updates, whereas these with out one will acquire upgrades by contacting Cisco TAC. There have been no publicly reported instances of those bugs being exploited within the wild.
