CybserSecurity News

Tag: CVE-2025-20281

  • Cisco ISE Critical RCE Zero-Days (CVSS 10.0) Actively Exploited In The Wild – Patch Immediately!

    Recently uncovered critical vulnerabilities in Cisco’s infrastructure are already being actively exploited by malicious actors to compromise corporate networks. The company has officially confirmed that its Product Security Incident Response Team (PSIRT) has observed real-world attempts to exploit these flaws. The vulnerabilities affect the Cisco Identity Services Engine (ISE) and its associated Passive Identity Connector module (ISE-PIC).

    Cisco ISE plays a pivotal role in network access control, determining who may connect to the corporate environment and under what conditions. A breach in the integrity of this platform grants attackers unrestricted access to internal systems, allowing them to bypass authentication and logging mechanisms—effectively transforming the security framework into an open gateway.

    In its official advisory, the company identified three critical vulnerabilities, each receiving the highest possible CVSS severity rating of 10.0. All three flaws allow unauthenticated remote attackers to execute commands on the affected device as the root user—granting them the highest level of system privileges:

    CVE-2025-20281 and CVE-2025-20337 stem from improper handling of API requests. Inadequate input validation enables an attacker to craft malicious queries capable of executing arbitrary code on the ISE server.

    CVE-2025-20282 involves an internal API lacking sufficient file upload restrictions. This oversight allows adversaries to upload a malicious file into a protected directory, where it can be executed with root privileges.

    These vulnerabilities are rooted in flawed input validation (in the first two cases) and insufficient file path sanitization (in the third). Exploitation techniques range from submitting specially crafted API calls to uploading pre-armed payloads to the server. In both scenarios, the attacker can circumvent authentication and assume full control of the targeted device.

    Although exploitation has been confirmed, Cisco has not disclosed which specific vulnerabilities have been leveraged, who the perpetrators are, or the extent of the campaign. Nonetheless, the emergence of exploit activity underscores the severity of the threat.

    Cisco has issued patches addressing all identified flaws and urges customers to immediately update their systems to the latest software versions. Unpatched systems remain exposed to unauthenticated remote compromise—posing a particularly grave risk to networks within highly regulated environments or critical infrastructure sectors.

    In addition to applying the updates, security professionals recommend that system administrators closely scrutinize activity logs for indicators of suspicious API calls or unauthorized file uploads—especially in deployments where ISE components are internet-accessible.

    The Cisco ISE incident once again illustrates how even the most integral components of security architecture can become dangerously vulnerable in the absence of rigorous interface oversight and user input validation. Given the widespread adoption of these solutions across enterprise environments, a successful compromise could imperil the security posture of an entire internal network.

  • Urgent Cisco ISE/ISE-PIC Alert: Two Critical RCE Flaws (CVSS 10.0) Allow Unauthenticated Root Access

    Cisco has released critical security updates to address two severe vulnerabilities in its network security products. Both issues affect Cisco Identity Services Engine (ISE) and its associated component, the ISE Passive Identity Connector (ISE-PIC). Exploiting these flaws could allow threat actors to gain complete control over vulnerable devices by executing arbitrary code with superuser privileges.

    The vulnerabilities are tracked as CVE-2025-20281 and CVE-2025-20282. Cisco has assigned both the highest severity rating of 10 on the CVSS scale. However, the National Vulnerability Database (NVD) has slightly downgraded the score for CVE-2025-20281 to 9.8, though this does little to diminish its gravity.

    Cisco ISE is an enterprise-grade access control platform designed to manage network authentication and authorization. It can be deployed on dedicated hardware, virtual machines, or within cloud environments. The ISE-PIC component plays a pivotal role by aggregating user credential data and forwarding it to other security systems, making it an essential element in identity infrastructure.

    Cisco has emphasized that the two vulnerabilities are unrelated and can be exploited independently. Remediating one does not mitigate the other.

    CVE-2025-20281 was identified in ISE and ISE-PIC versions 3.3 and 3.4, with earlier releases unaffected. Experts have attributed the flaw to inadequate input validation in the API. An unauthenticated attacker could craft a specially formed request—without requiring any user credentials or prior access—and obtain root-level privileges, thereby seizing full control of the device.

    The second flaw, CVE-2025-20282, also involves the internal API but operates through a different attack vector. This vulnerability stems from the absence of file upload validation. An attacker could upload a malicious payload into protected system directories and subsequently execute arbitrary code, again achieving root access. This issue, however, is confined to version 3.4; earlier versions, including 3.3, remain unaffected.

    As of now, there are no reports of these vulnerabilities being exploited in the wild. Cisco has opted not to disclose technical specifics to afford administrators time to patch their systems and preempt a potential wave of attacks.

    To mitigate CVE-2025-20281, administrators are advised to update to at least version 3.3 with patch 6 or version 3.4 with patch 2. CVE-2025-20282, on the other hand, mandates an upgrade to version 3.4 patch 2 as the sole remedy.

    This is not the first time ISE and ISE-PIC components have faced critical API-related vulnerabilities this year. Previous flaws—also rated at the maximum severity—enabled attackers to compromise systems, but required at least read-only administrative credentials, adding a layer of complexity. In contrast, the current vulnerabilities can be exploited through simple file uploads or crafted requests, without any authentication, marking a stark escalation in risk.