Urgent Cisco ISE/ISE-PIC Alert: Two Critical RCE Flaws (CVSS 10.0) Allow Unauthenticated Root Access

Cisco has released critical security updates to address two severe vulnerabilities in its network security products. Both issues affect Cisco Identity Services Engine (ISE) and its associated component, the ISE Passive Identity Connector (ISE-PIC). Exploiting these flaws could allow threat actors to gain complete control over vulnerable devices by executing arbitrary code with superuser privileges.

The vulnerabilities are tracked as CVE-2025-20281 and CVE-2025-20282. Cisco has assigned both the highest severity rating of 10 on the CVSS scale. However, the National Vulnerability Database (NVD) has slightly downgraded the score for CVE-2025-20281 to 9.8, though this does little to diminish its gravity.

Cisco ISE is an enterprise-grade access control platform designed to manage network authentication and authorization. It can be deployed on dedicated hardware, virtual machines, or within cloud environments. The ISE-PIC component plays a pivotal role by aggregating user credential data and forwarding it to other security systems, making it an essential element in identity infrastructure.

Cisco has emphasized that the two vulnerabilities are unrelated and can be exploited independently. Remediating one does not mitigate the other.

CVE-2025-20281 was identified in ISE and ISE-PIC versions 3.3 and 3.4, with earlier releases unaffected. Experts have attributed the flaw to inadequate input validation in the API. An unauthenticated attacker could craft a specially formed request—without requiring any user credentials or prior access—and obtain root-level privileges, thereby seizing full control of the device.

The second flaw, CVE-2025-20282, also involves the internal API but operates through a different attack vector. This vulnerability stems from the absence of file upload validation. An attacker could upload a malicious payload into protected system directories and subsequently execute arbitrary code, again achieving root access. This issue, however, is confined to version 3.4; earlier versions, including 3.3, remain unaffected.

As of now, there are no reports of these vulnerabilities being exploited in the wild. Cisco has opted not to disclose technical specifics to afford administrators time to patch their systems and preempt a potential wave of attacks.

To mitigate CVE-2025-20281, administrators are advised to update to at least version 3.3 with patch 6 or version 3.4 with patch 2. CVE-2025-20282, on the other hand, mandates an upgrade to version 3.4 patch 2 as the sole remedy.

This is not the first time ISE and ISE-PIC components have faced critical API-related vulnerabilities this year. Previous flaws—also rated at the maximum severity—enabled attackers to compromise systems, but required at least read-only administrative credentials, adding a layer of complexity. In contrast, the current vulnerabilities can be exploited through simple file uploads or crafted requests, without any authentication, marking a stark escalation in risk.