Cisco ISE Critical RCE Zero-Days (CVSS 10.0) Actively Exploited In The Wild – Patch Immediately!
Recently uncovered critical vulnerabilities in Cisco’s infrastructure are already being actively exploited by malicious actors to compromise corporate networks. The company has officially confirmed that its Product Security Incident Response Team (PSIRT) has observed real-world attempts to exploit these flaws. The vulnerabilities affect the Cisco Identity Services Engine (ISE) and its associated Passive Identity Connector module (ISE-PIC).
Cisco ISE plays a pivotal role in network access control, determining who may connect to the corporate environment and under what conditions. A breach in the integrity of this platform grants attackers unrestricted access to internal systems, allowing them to bypass authentication and logging mechanisms—effectively transforming the security framework into an open gateway.
In its official advisory, the company identified three critical vulnerabilities, each receiving the highest possible CVSS severity rating of 10.0. All three flaws allow unauthenticated remote attackers to execute commands on the affected device as the root user—granting them the highest level of system privileges:
CVE-2025-20281 and CVE-2025-20337 stem from improper handling of API requests. Inadequate input validation enables an attacker to craft malicious queries capable of executing arbitrary code on the ISE server.
CVE-2025-20282 involves an internal API lacking sufficient file upload restrictions. This oversight allows adversaries to upload a malicious file into a protected directory, where it can be executed with root privileges.
These vulnerabilities are rooted in flawed input validation (in the first two cases) and insufficient file path sanitization (in the third). Exploitation techniques range from submitting specially crafted API calls to uploading pre-armed payloads to the server. In both scenarios, the attacker can circumvent authentication and assume full control of the targeted device.
Although exploitation has been confirmed, Cisco has not disclosed which specific vulnerabilities have been leveraged, who the perpetrators are, or the extent of the campaign. Nonetheless, the emergence of exploit activity underscores the severity of the threat.
Cisco has issued patches addressing all identified flaws and urges customers to immediately update their systems to the latest software versions. Unpatched systems remain exposed to unauthenticated remote compromise—posing a particularly grave risk to networks within highly regulated environments or critical infrastructure sectors.
In addition to applying the updates, security professionals recommend that system administrators closely scrutinize activity logs for indicators of suspicious API calls or unauthorized file uploads—especially in deployments where ISE components are internet-accessible.
The Cisco ISE incident once again illustrates how even the most integral components of security architecture can become dangerously vulnerable in the absence of rigorous interface oversight and user input validation. Given the widespread adoption of these solutions across enterprise environments, a successful compromise could imperil the security posture of an entire internal network.
