Urgent: Cisco ISE Flaws (CVSS 10.0) Actively Exploited in the Wild – Patch Immediately!
Ddos 
Cisco has issued an urgent update to its security advisory, revealing that three critical remote code execution (RCE) vulnerabilities in Cisco Identity Services Engine (ISE) and ISE-PIC are being actively exploited in the wild. The flaws, tracked as CVE-2025-20281, CVE-2025-20282, and CVE-2025-20337, carry maximum severity scores of 10.0 and pose a grave threat to enterprise network infrastructure.
“In July 2025, the Cisco PSIRT became aware of attempted exploitation of some of these vulnerabilities in the wild,” Cisco warns. “Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate these vulnerabilities.”
- CVE-2025-20281: Command Execution via Exposed API
This vulnerability stems from insufficient validation of user-supplied input in an exposed API. An unauthenticated attacker can exploit it by sending a specially crafted API request, enabling arbitrary OS command execution as the root user.
- CVE-2025-20282: Arbitrary File Upload
This flaw is due to poor file validation in an internal API, allowing an attacker to upload arbitrary files to privileged directories and then execute them with root privileges—without any user interaction.
- CVE-2025-20337: Malicious File Storage & Code Execution
The third and newest addition to the advisory, discovered by Kentaro Kawane from GMO Cybersecurity and disclosed via Trend Micro’s Zero Day Initiative, also enables unauthenticated attackers to store malicious files and execute arbitrary code on vulnerable systems.
“These vulnerabilities affect Cisco ISE and ISE-PIC releases 3.3 and 3.4, regardless of device configuration,” Cisco states, adding that “these vulnerabilities do not affect Cisco ISE and ISE-PIC Release 3.2 or earlier.”
Cisco ISE is a core component of enterprise network security, used for network access control (NAC), identity management, and policy enforcement in major enterprises, governments, and academic institutions.
These flaws open the door to complete system compromise—an attacker doesn’t need credentials or user interaction to take control.
There are no workarounds or mitigations, making patching the only defense.
| Cisco ISE or ISE-PIC Release | First Fixed Release for CVE-2025-20281 | First Fixed Release for CVE-2025-20282 | First Fixed Release for CVE-2025-20337 |
|---|---|---|---|
| 3.2 and earlier | Not vulnerable | Not vulnerable | Not vulnerable |
| 3.3 | 3.3 Patch 7 | Not vulnerable | 3.3 Patch 7 |
| 3.4 | 3.4 Patch 2 | 3.4 Patch 2 | 3.4 Patch 2 |
Organizations running Cisco ISE 3.3 or 3.4 must urgently upgrade to the fixed releases. Leaving these systems unpatched could lead to catastrophic breaches, lateral movement, or full network takeovers.
Related Posts:
- Critical Cisco ISE Flaw CVE-2025-20337 (CVSS 10.0) Allows Unauthenticated Root RCE – Patch Immediately
- Critical Cisco ISE Cloud Vulnerability (CVSS 9.9) with PoC Exploit Threatens AWS, Azure, OCI
- RADIUS Risk: Unauthenticated Remote Attacker Can Crash Cisco ISE by Default
- Cisco Patches Two Vulnerabilities in CCP and ISE: Proof-of-Concept Exploits Publicly Available
- Cisco ISE/ISE-PIC Alert: Two Critical RCE Flaws (CVSS 10.0) Allow Unauthenticated Root Access
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
