Cisco Fixes Two Critical Make-me-root Bugs On Identity Services Engine Components

Cisco has dropped patches for a pair of critical vulnerabilities that could allow unauthenticated remote attackers to execute code on vulnerable systems.

Tracked as CVE-2025-20281 and CVE-2025-20282, Cisco assigned them both maximum 10/10 severity ratings, although the former was reduced to 9.8 by the National Vulnerability Database.

Both bugs affect Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC), allowing attackers to execute code on the underlying OS as root. 

Put simply, it means they are both about as bad as they come.

ISE is a network access control solution, which can be found running on secure network servers, VMs, and some cloud instances. 

ISE-PIC is used in the user authentication process, passively gathering up identity data and feeding it into other security tools.

Cisco said the two vulnerabilities are independent – they can be exploited individually, and exploiting one is not a requirement for exploiting the other.

CVE-2025-20281 affects the current version of ISE and ISE-PPIC (3.4) as well as 3.3, but none before those two most recent iterations.

There are no known active exploits for either vulnerability as yet, Cisco said. Full details about them are being kept under wraps, presumably to allow admins the time to apply the available patches, thus preventing a wave of attacks making use of the weakness.

However, we know the underlying issue is in an API and the vulnerability exists due to insufficient validation of user-supplied input. 

An attacker can submit a specially crafted request to that API, without the need for authentication or valid credentials, and gain root privileges on the device.

CVE-2025-20282 is similarly the result of a vulnerable internal API and by abusing it, unauthenticated attackers can upload files onto an affected device and execute them on the underlying OS as root.

Cisco said in its advisory: "This vulnerability is due to a lack of file validation checks that would prevent uploaded files from being placed in privileged directories on an affected system. 

"An attacker could exploit this vulnerability by uploading a crafted file to the affected device. A successful exploit could allow the attacker to store malicious files on the affected system and then execute arbitrary code or obtain root privileges on the system."

Unlike CVE-2025-20281, this 10/10 number only affects the current version of ISE and ISE-PIC, version 3.4.

Cisco said updates are available to customers now, and they should be applied at the earliest opportunity, since there are no workarounds that can mitigate either vulnerability.

For CVE-2025-20281, upgrading to version 3.3 patch 6 or 3.4 patch 2 is the way to go.

• CloudBees CEO says customers are slowing down on 'black box' code from AIs
• Typhoon-like gang slinging TLS certificate 'signed' by the Los Angeles Police Department
• Cisco returns to load balancing market as it chases VMware refugees
• Play ransomware crims exploit SimpleHelp flaw in double-extortion schemes

And for CVE-2025-20282, version 3.4 patch 2 is the only update available, since version 3.3 is not vulnerable to this bug specifically.

Likewise, versions 3.2 and earlier are not vulnerable to these security issues, but will be to others, so where possible it's always best to upgrade to the latest available version.

An example of this can be found from earlier this year when Cisco put out patches for the same two components, ISE and ISE-PIC, and these flaws affected version 3.0 up to and including 3.3

Like the latest pair, they were both critical-rated and facilitated by API flaws, but came with the added difficulty of requiring valid read-only admin credentials. ®