Max severity Cisco ISE bug permits pre-auth command execution, patch now

A vital vulnerability (CVE-2025-20337) in Cisco’s Identification Providers Engine (ISE) may very well be exploited to let an unauthenticated attacker retailer malicious recordsdata, execute arbitrary code, or acquire root privileges on susceptible units.

The security concern obtained the utmost severity score, 10 out of 10, and is attributable to inadequate user-supplied enter validation checks.

It was found by Kentaro Kawane, a researcher on the Japanese cybersecurity service GMO Cybersecurity by Ierae, and reported Development Micro’s Zero Day Initiative (ZDI).

A distant unauthenticated attacker may leverage it by submitting a specifically crafted API request 

The vulnerability was added by way of an replace to the security bulletin for CVE-2025-20281 and CVE-2025-20282, two comparable RCE vulnerabilities that additionally obtained the utmost severity rating, that impression ISE and ISE-PIC variations 3.4 and three.3.

“These vulnerabilities have an effect on Cisco ISE and ISE-PIC releases 3.3 and three.4, no matter machine configuration,” the seller notes for CVE-2025-20281 and CVE-2025-20337, including that “these vulnerabilities don’t have an effect on Cisco ISE and ISE-PIC Launch 3.2 or earlier.”

Any of the three security points will be exploited independently.

Cisco additionally warns that clients who utilized the patches for CVE-2025-20281 and CVE-2025-20282 usually are not lined from CVE-2025-20337, and have to improve to ISE 3.3 Patch 7 or ISE 3.4 Patch 2.

The product variations under are the one ones presently confirmed to deal with all three most severity vulnerabilities. Workarounds or different mitigations usually are not obtainable.

Though no exploitation of any of the three vital vulnerabilities has been noticed within the wild as of but, it is strongly recommended that system directors take speedy motion to mitigate the dangers.

Additionally yesterday, Cisco launched 4 security advisories for much less extreme vulnerabilities (medium to excessive severity score) in a number of of its merchandise:

• CVE-2025-20274: Excessive-severity arbitrary file add vulnerability impacting Cisco Unified Intelligence Heart, together with Unified CCX bundles. Authenticated customers with Report Designer privileges can add malicious recordsdata and doubtlessly execute them as root. Mounted in variations 12.5(1) SU ES05 and 12.6(2) ES05.
• CVE-2025-20272: Medium-severity blind SQL injection vulnerability in Cisco Prime Infrastructure and EPNM. Low-privileged customers can exploit REST APIs to extract unauthorized database content material. Resolved in Prime Infrastructure 3.10.6 SU2 and EPNM variations 8.0.1 and eight.1.1.
• CVE-2025-20283, CVE-2025-20284, CVE-2025-20285: Medium-severity authenticated RCE and IP entry restriction bypass vulnerabilities in Cisco ISE and ISE-PIC. Excessive-privileged customers can execute instructions as root or log in from unauthorized IPs. Impacts variations 3.3 and three.4; fastened in 3.3 Patch 7 and three.4 Patch 2.
• CVE-2025-20288: Medium-severity SSRF vulnerability in Cisco Unified Intelligence Heart, exploitable with out authentication. Permits attackers to ship arbitrary inner requests by way of the affected system. Impacts variations 12.5 and 12.6, together with Unified CCX bundles. Mounted in 12.5(1) SU ES05 and 12.6(2) ES05.

Cisco notes that there no workarounds for any of the above vulnerabilities and advises clients to find out their threat publicity primarily based on the seller’s info and make sure that the units have sufficient reminiscence earlier than contemplating an improve.

Moreover, directors ought to take a look at and make sure that present configurations for {hardware} and software program elements are correctly supported by the newer Cisco product launch.