Cisco patches max-severity flaw in Identity Services Engine

Cisco recently issued urgent security updates to address two critical remote code execution (RCE) vulnerabilities in its Identity Services Engine (ISE) and Passive Identity Connector (ISE-PIC).

ISE is widely deployed in enterprise, government, and academic networks as a core network access control and policy enforcement platform. These vulnerabilities could allow unauthenticated users to gain full root-level control of affected systems, without any user interaction.

• CVE-2025-20281 is due to insufficient input validation in an exposed API. An attacker can send a specially crafted request to execute malicious operating systems commands as root. Affected versions include Cisco ISE versions 3.3 and 3.4 as well as Cisco ISE-PIC versions 3.3 and 3.4. The vulnerability received a CVSS score of 9.8 out of 10.
• CVE-2025-20282 is due to improper file validation in an internal API and allows one to upload and execute malicious files in privileged directories. Cisco ISE version 3.4 and Cisco ISE-PIC version 3.4 are affected by the vulnerability, which carries the maximum CVSS score of 10.

Cisco has not identified any active exploitation in the wild but urges immediate patching. No workarounds are available.

Recommended fixes:

• ISE 3.3: Upgrade to Patch 6 (ise-apply-CSCwo99449_3.3.0.430_patch4)
• ISE 3.4: Upgrade to Patch 2 (ise-apply-CSCwo99449_3.4.0.608_patch1)

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Analyst notes:

Organizations relying on Cisco ISE should prioritize patching immediately, as no workarounds are available. Additionally, review and restrict access to exposed APIs and ensure systems are not publicly accessible without proper authentication controls.