Critical Cisco ISE RCE (CVSS 10.0) Follows Active FortiWeb Exploits
Cisco has issued an updated advisory regarding a critical vulnerability in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) products. This flaw enables remote attackers to execute arbitrary code on the operating system with superuser privileges. Designated as CVE-2025-20337, the vulnerability has received the maximum CVSS severity score of 10.0. Notably, this marks the second such vulnerability in a short span, following the recently addressed CVE-2025-20281.
According to Cisco, the issue stems from insufficient validation of user-supplied input via a specific API. Exploiting the flaw requires no authentication—an attacker simply needs to send a specially crafted API request. If successful, this could grant them full system-level access to the affected device.
The vulnerability impacts ISE and ISE-PIC versions 3.3 and 3.4, regardless of configuration. Earlier versions—3.2 and below—remain unaffected. Cisco has already released patches: Update 7 for version 3.3 and Update 2 for version 3.4. As of now, there are no known instances of the vulnerability being exploited in the wild, but security experts emphasize the importance of promptly applying the patches.
Meanwhile, threat actors are actively exploiting CVE-2025-25257 in Fortinet FortiWeb. According to The Shadowserver Foundation, cybercriminals began mass leveraging publicly available exploits on July 11 to deploy web shells on vulnerable systems. By July 15, 77 compromised instances had been recorded—eight fewer than the previous day. The majority of cases were found in North America (44), followed by Asia (14) and Europe (13).
Censys analysis reveals that over 20,000 Fortinet FortiWeb instances are exposed online, not including honeypots. While the exact number of vulnerable systems remains uncertain, researchers are alarmed by the fact that the exploit enables execution of arbitrary SQL commands via specially crafted HTTP requests, which in turn allows remote code execution on the server.
