Cisco ISE/ISE-PIC Alert: Two Critical RCE Flaws (CVSS 10.0) Allow Unauthenticated Root Access
Ddos 
Cisco has disclosed two critical vulnerabilities in its Identity Services Engine (ISE) and Passive Identity Connector (ISE-PIC) that could allow unauthenticated, remote attackers to execute arbitrary commands with root privileges. The flaws—CVE-2025-20281 and CVE-2025-20282—both carry a maximum CVSS score of 10.0, underscoring their severity.
The first vulnerability, CVE-2025-20281, affects Cisco ISE and ISE-PIC versions 3.3 and later. It stems from insufficient input validation in a specific API endpoint. Because of this weakness, an attacker can exploit the flaw by submitting crafted API requests to an affected system. Crucially, the attacker does not need valid credentials to do so.
According to the advisory:
“A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root.”
The result of a successful exploit is the full compromise of the system, enabling arbitrary command execution as the root user. Cisco has addressed this issue in ISE 3.3 Patch 6, and there are no workarounds for mitigating the vulnerability short of patching.
The second vulnerability, CVE-2025-20282, is exclusive to Cisco ISE and ISE-PIC version 3.4. It resides in an internal API that lacks adequate validation of uploaded files. This oversight allows an attacker to upload arbitrary files to privileged directories on the system, which can then be executed with root privileges.
Cisco’s advisory explains:
“A successful exploit could allow the attacker to store malicious files on the affected system and then execute arbitrary code or obtain root privileges on the system.”
As with the first vulnerability, exploitation requires no user authentication, and no workaround exists aside from applying Cisco’s Patch 2 for version 3.4. Both patches for CVE-2025-20281 and CVE-2025-20282 are available through Cisco’s support channels and software repositories.
At the time of publication, Cisco’s Product Security Incident Response Team (PSIRT) has not observed any public exploitation.
Still, given the unauthenticated nature and root-level impact of these flaws, the risk of future exploitation is high. Organizations are strongly encouraged to apply the relevant patches immediately.
Related Posts:
- Critical Cisco ISE Cloud Vulnerability (CVSS 9.9) with PoC Exploit Threatens AWS, Azure, OCI
- RADIUS Risk: Unauthenticated Remote Attacker Can Crash Cisco ISE by Default
- Cisco Patches Two Vulnerabilities in CCP and ISE: Proof-of-Concept Exploits Publicly Available
- Warning: CVE-2024-20469 in Cisco ISE with PoC Code Puts Networks at Risk
- Cisco Addresses Multiple Security Vulnerabilities Affecting its Products
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
