CVE-2025-20281 & CVE-2025-20282: Critical Cisco ISE Vulnerabilities Allow Root-Level RCE

Malware News
1

CVE-2025-20281 & CVE-2025-20282: Critical Cisco ISE Vulnerabilities Allow Root-Level RCE

Introduction to Malware Binary Triage (IMBT) Course

Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.

Enroll Now and Save 10%: Coupon Code MWNEWS10

Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.

A new security advisory has unveiled two critical vulnerabilities affecting Cisco ISE (Identity Services Engine) and ISE Passive Identity Connector (ISE-PIC), one of them carrying a maximum CVSS score of 10.0.

These flaws could enable remote attackers to take full control of vulnerable systems without needing credentials – a high-stakes scenario for organizations relying on Cisco’s identity management infrastructure.

What Are the Latest Cisco ISE Vulnerabilities?

Cisco has confirmed that both vulnerabilities stem from unauthenticated access vectors and involve serious issues in the API layers of ISE and ISE-PIC:

  • CVE-2025-20281 (CVSS 9.8) allows an attacker to execute arbitrary code as the root user via a crafted API request. This is due to insufficient validation of user input, making it possible to directly interact with the OS beneath the application.
Details of CVE-2025-20281 (SOCRadar Vulnerability Intelligence)

Details of CVE-2025-20281 (SOCRadar Vulnerability Intelligence)

  • CVE-2025-20282 (CVSS 10.0) lets an attacker upload and execute malicious files by exploiting inadequate file validation in internal APIs. By placing payloads into privileged directories, an attacker can effectively hijack the system and escalate privileges to root.
Details of CVE-2025-20282 (SOCRadar Vulnerability Intelligence)

Details of CVE-2025-20282 (SOCRadar Vulnerability Intelligence)

Neither vulnerability relies on the other, meaning an attacker can exploit either independently to achieve Remote Code Execution (RCE).

Which Cisco ISE Versions Are at Risk?

The scope of affected versions varies between the two flaws:

  • CVE-2025-20281 impacts all ISE and ISE-PIC releases from version 3.3 onwards. Versions 3.2 and earlier are not vulnerable.
  • CVE-2025-20282 affects only release 3.4. If you are running 3.3 or older, you are safe from this particular exploit.

It is essential for security teams to evaluate their specific deployment version before planning mitigations.

Are These Exploited in the Wild?

According to Cisco’s Product Security Incident Response Team (PSIRT), there have been no public exploits, disclosures, or signs of malicious activity leveraging these vulnerabilities at the time of the advisory.

That said, the ease of exploitation (no authentication required and full system control granted) makes it likely that Proof-of-Concept (PoC) exploits could emerge soon.

Organizations should act fast before these theoretical threats become practical attacks.

Track your company’s vulnerability status with SOCRadar ASM module

Track your company’s vulnerability status with SOCRadar ASM module

While exploits may not be public yet, attackers often scan for vulnerable and exposed systems first. SOCRadar’s Attack Surface Management (ASM) continuously monitors your external environment to identify exposed assets, including unpatched devices, before attackers find them.

Gain real-time visibility, prioritize critical risks, and reduce your attack surface, ensuring you act proactively, not reactively.

How to Fix CVE-2025-20281 & CVE-2025-20282

Cisco has released patches addressing both vulnerabilities:

For CVE-2025-20281, fixed versions include:

  • ISE 3.3: Patch 6
  • ISE 3.4: Patch 2

For CVE-2025-20282, the fix is available only in:

  • ISE 3.4: Patch 2

There are no available workarounds, so applying the official updates is the only secure path forward. For complete details, including patch instructions and version downloads, refer to the official Cisco advisory.

Keep Pace with Emerging Vulnerabilities and Exploits with SOCRadar Vulnerability Intelligence

Cyber threats evolve rapidly, and timely information is key to defending your environment. SOCRadar’s Vulnerability Intelligence delivers up-to-the-minute alerts on newly disclosed CVEs, real-world exploit activity, and shifting attack trends.

SOCRadar's Vulnerability Intelligence module

SOCRadar’s Vulnerability Intelligence module

Vulnerability Intelligence is a core component of SOCRadar’s broader Cyber Threat Intelligence module and its key capabilities include:

  • Real-time alerts on critical vulnerabilities
  • Monitoring of exploit trends and threat actor tactics
  • Prioritization guidance to focus on the most urgent risks
  • Actionable insights to support faster, smarter remediation

With this insight, your security team can prioritize patching effectively and respond swiftly to emerging risks, turning complex threat data into actionable intelligence.

Article Link: https://socradar.io/cve-2025-20281-cve-2025-20282-critical-cisco-ise-rce/