Critical Cisco ISE Cloud Vulnerability (CVSS 9.9) with PoC Exploit Threatens AWS, Azure, OCI
Ddos 
Cisco has patched a critical vulnerability (CVE-2025-20286, CVSS 9.9) that affects cloud-based deployments of its Identity Services Engine (ISE) across AWS, Microsoft Azure, and Oracle Cloud Infrastructure (OCI). The flaw could allow unauthenticated remote attackers to access sensitive data and execute administrative operations.
βThis vulnerability exists because credentials are improperly generated when Cisco ISE is being deployed on cloud platforms… resulting in different Cisco ISE deployments sharing the same credentials.β the advisory explains.
CVE-2025-20286 allows attackers to extract static credentials from one instance of Cisco ISE and reuse them to gain access to other deployments on the same cloud platform and release version. This massive configuration oversight affects the Primary Administration node when deployed in the cloud.
βAn attacker could exploit this vulnerability by extracting the user credentials from Cisco ISE that is deployed in the cloud and then using them to access Cisco ISE that is deployed in other cloud environments through unsecured ports.β
A successful exploit can result in:
- Unauthorized data access
- Configuration changes
- Execution of limited admin operations
- Service disruption
The vulnerability impacts the following Cisco ISE cloud deployments:
| Platform | Vulnerable Releases |
|---|---|
| AWS | 3.1, 3.2, 3.3, 3.4 |
| Azure | 3.2, 3.3, 3.4 |
| OCI | 3.2, 3.3, 3.4 |
Notably, credentials are shared per platform and release, e.g., all 3.1 instances on AWS have the same static credentials.
While no workarounds exist, Cisco suggests mitigation strategies such as:
- Restrict source IPs using cloud security groups
- Restrict access via the ISE UI to known administrator IPs
- For fresh installs: βRun the
application reset-config isecommand to reset user passwords to a new value.β This will reset Cisco ISE to factory defaults.
Cisco warns: βRestoring a backup will restore the original credentials.β
Cisco recommends applying the hotfix ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz to affected versions (3.1β3.4) and migrating to the following fixed releases:
- 3.3 β 3.3P8 (available November 2025)
- 3.4 β 3.4P3 (available October 2025)
- 3.5 will ship with the fix by default (expected August 2025)
The Cisco PSIRT confirmed:
βProof-of-concept exploit code is available… The Cisco PSIRT is not aware of any malicious use of the vulnerability.β
Still, with the existence of public exploit code, cloud admins are urged to treat this as a critical risk and patch immediately.
Related Posts:
- RADIUS Risk: Unauthenticated Remote Attacker Can Crash Cisco ISE by Default
- Warning: CVE-2024-20469 in Cisco ISE with PoC Code Puts Networks at Risk
- Cisco Addresses Multiple Security Vulnerabilities Affecting its Products
- CVE-2025-20124 (CVSS 9.9) & CVE-2025-20125 (CVSS 9.1): Cisco Patches Critical Flaws in Identity Services Engine
- Cisco releases patch to fix three high security bugs
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
