Login Sign Up

CVE-2025-20281

10.0 CRITICAL CISA KEV
Remote Code Execution

📋 TL;DR

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers to execute arbitrary commands as root without credentials. This affects organizations using vulnerable versions of these Cisco identity services products. Attackers can gain complete control of affected devices.

💻 Affected Systems

Products:
  • Cisco Identity Services Engine (ISE)
  • Cisco Identity Services Engine - Passive Identity Connector (ISE-PIC)
Versions: Specific versions as detailed in Cisco advisory (check vendor advisory for exact ranges)
Operating Systems: Cisco ISE OS
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments with vulnerable versions are affected regardless of configuration. The vulnerable API endpoint is part of core functionality.

📦 What is this software?

Identity Services Engine by Cisco

View all CVEs affecting Identity Services Engine →

Identity Services Engine by Cisco

View all CVEs affecting Identity Services Engine →

Identity Services Engine by Cisco

View all CVEs affecting Identity Services Engine →

Identity Services Engine by Cisco

View all CVEs affecting Identity Services Engine →

Identity Services Engine by Cisco

View all CVEs affecting Identity Services Engine →

Identity Services Engine by Cisco

View all CVEs affecting Identity Services Engine →

Identity Services Engine by Cisco

View all CVEs affecting Identity Services Engine →

Identity Services Engine by Cisco

View all CVEs affecting Identity Services Engine →

Identity Services Engine by Cisco

View all CVEs affecting Identity Services Engine →

Identity Services Engine Passive Identity Connector by Cisco

View all CVEs affecting Identity Services Engine Passive Identity Connector →

Identity Services Engine Passive Identity Connector by Cisco

View all CVEs affecting Identity Services Engine Passive Identity Connector →

Identity Services Engine Passive Identity Connector by Cisco

View all CVEs affecting Identity Services Engine Passive Identity Connector →

Identity Services Engine Passive Identity Connector by Cisco

View all CVEs affecting Identity Services Engine Passive Identity Connector →

Identity Services Engine Passive Identity Connector by Cisco

View all CVEs affecting Identity Services Engine Passive Identity Connector →

Identity Services Engine Passive Identity Connector by Cisco

View all CVEs affecting Identity Services Engine Passive Identity Connector →

Identity Services Engine Passive Identity Connector by Cisco

View all CVEs affecting Identity Services Engine Passive Identity Connector →

Identity Services Engine Passive Identity Connector by Cisco

View all CVEs affecting Identity Services Engine Passive Identity Connector →

Identity Services Engine Passive Identity Connector by Cisco

View all CVEs affecting Identity Services Engine Passive Identity Connector →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Cisco ISE infrastructure leading to credential theft, network pivoting, and persistent backdoor installation across the enterprise network.

🟠

Likely Case

Initial foothold in the network followed by lateral movement, privilege escalation, and data exfiltration from connected systems.

🟢

If Mitigated

Limited impact if devices are patched, network segmentation is enforced, and API access is restricted to trusted sources only.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation makes internet-facing devices immediate targets for attackers.
🏢 Internal Only: HIGH - Even internal devices are vulnerable to attackers who gain network access through other means.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

CVSS 10.0 indicates trivial exploitation. CISA has added this to Known Exploited Vulnerabilities catalog, suggesting active exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Cisco advisory for specific fixed versions

Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6

Restart Required: Yes

Instructions:

1. Review Cisco advisory for exact affected/fixed versions. 2. Download appropriate patch from Cisco Software Center. 3. Apply patch following Cisco ISE upgrade procedures. 4. Reboot affected devices. 5. Verify patch installation.

🔧 Temporary Workarounds

Network Access Control

all

Restrict access to Cisco ISE management interfaces to trusted IP addresses only

Configure firewall rules to allow only authorized management networks to access ISE API endpoints

API Endpoint Disablement

all

Disable or restrict access to the specific vulnerable API endpoint if possible

Check Cisco advisory for specific endpoint details and disable if not required

🧯 If You Can't Patch

  • Isolate affected devices in a dedicated VLAN with strict network segmentation
  • Implement intrusion detection rules to monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check Cisco ISE version against affected versions listed in Cisco advisory

Check Version:

show version (in Cisco ISE CLI) or check Admin GUI → System → About

Verify Fix Applied:

Verify installed version matches or exceeds fixed versions from Cisco advisory

📡 Detection & Monitoring

Log Indicators:

  • Unusual API requests to ISE endpoints
  • Failed authentication attempts followed by successful API calls
  • System process creation from web/API user context

Network Indicators:

  • Unusual outbound connections from ISE devices
  • Traffic to suspicious IPs from ISE management interfaces
  • Unexpected SSH/RDP sessions originating from ISE

SIEM Query:

source="cisco_ise" AND (http_method="POST" OR http_method="PUT") AND uri_path CONTAINS "/api/" AND status_code=200 AND src_ip NOT IN [trusted_management_ips]

📊 Metadata

CVE ID: CVE-2025-20281
CVSS v3 Score: 10.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-74
EPSS Score: 24.04% exploit probability (95.9th percentile)
CISA KEV: Actively Exploited added Jul 28, 2025
Published: June 25, 2025
Last Updated: October 28, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-20281, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20265 10.0

This critical vulnerability in Cisco Secure Firewall Management Center allows unauthenticated remote...

Same vulnerability type (CWE-74)