CVE-2025-20124 (CVSS 9.9) & CVE-2025-20125 (CVSS 9.1): Cisco Patches Critical Flaws in Identity Services Engine
Ddos 
Cisco has issued a security advisory addressing two critical vulnerabilities in its Identity Services Engine (ISE), a network security policy management platform widely used by enterprises. These vulnerabilities—CVE-2025-20124 and CVE-2025-20125—could enable authenticated attackers to execute arbitrary commands as root and bypass authorization controls, posing severe risks to affected systems.
The first vulnerability, CVE-2025-20124 (CVSS 9.9), is an insecure Java deserialization vulnerability. This vulnerability is due to insecure deserialization of user-supplied Java byte streams by the affected software. An attacker could exploit this vulnerability by sending a crafted serialized Java object to an affected API. A successful exploit could allow the attacker to execute arbitrary commands on the device and elevate privileges.
The second vulnerability, CVE-2025-20125 (CVSS 9.1), is an authorization bypass vulnerability. This vulnerability is due to a lack of authorization in a specific API and improper validation of user-supplied data. An attacker could exploit this vulnerability by sending a crafted HTTP request to a specific API on the device. A successful exploit could allow the attacker to obtain information, modify system configuration, and reload the device.
Both vulnerabilities require the attacker to have valid read-only administrative credentials. In a single-node deployment, new devices will not be able to authenticate during the reload time.
Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.
| Cisco ISE Software Releases | First Fixed Release |
|---|---|
| 3.0 | Migrate to a fixed release. |
| 3.1 | 3.1P10 |
| 3.2 | 3.2P7 |
| 3.3 | 3.3P4 |
| 3.4 | Not vulnerable. |
Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory. Organizations using Cisco ISE or ISE-PIC are urged to update their software to the latest versions as soon as possible.