Cisco has issued an urgent warning regarding active exploitation of critical vulnerabilities in its Identity Services Engine (ISE) and Passive Identity Connector (ISE-PIC) products. These flaws, with a maximum CVSS score of 10.0, allow unauthenticated attackers to gain root-level access, posing a severe threat to network security. Immediate patching is strongly advised.

Cisco's Critical Security Alert

Cisco's Product Security Incident Response Team (PSIRT) confirmed in July 2025 that a set of critical remote code execution (RCE) vulnerabilities affecting Cisco ISE and ISE-PIC are being actively exploited in the wild. These vulnerabilities, identified as CVE-2025-20281, CVE-2025-20282, and CVE-2025-20337, all carry the highest possible CVSS base score of 10.0, indicating maximum severity and exploitability.

Understanding The Vulnerabilities

These vulnerabilities enable unauthenticated remote attackers to execute arbitrary commands with root privileges on affected systems. The specific flaws are:

• CVE-2025-20281 and CVE-2025-20337: These affect ISE and ISE-PIC releases 3.3 and 3.4. They stem from insufficient input validation in specific public APIs, allowing attackers to submit crafted API requests to gain root access.

• CVE-2025-20282: This vulnerability impacts only ISE and ISE-PIC Release 3.4. It involves an internal API with inadequate file validation checks, enabling attackers to upload malicious files to privileged directories and execute them with root permissions.

All three vulnerabilities can be exploited remotely without authentication, making unpatched systems highly susceptible to pre-authentication remote code execution.

Key Takeaways

• Maximum Severity: All three vulnerabilities have a CVSS score of 10.0.

• Unauthenticated Root Access: Attackers can gain complete control over affected systems without credentials.

• Active Exploitation: Cisco has confirmed that these flaws are being actively exploited in real-world attacks.

• No Workarounds: Immediate patching is the only effective mitigation.

• Critical Infrastructure Impact: ISE is central to network access control, meaning compromise could lead to widespread network control.

Immediate Action Required

Cisco has emphasized that no viable workarounds exist, making immediate patching the only defense. Organizations running affected versions must take prompt action:

1. Identify Affected Systems: Inventory all Cisco ISE and ISE-PIC installations to determine their versions.

2. Prioritize Patching: Treat these vulnerabilities as critical security incidents requiring emergency maintenance.

3. Apply Patches:ISE Release 3.3: Upgrade to 3.3 Patch 7.ISE Release 3.4: Upgrade to 3.4 Patch 2.

It is crucial to note that previous hotfix bundles (e.g., or ) do not fully address CVE-2025-20337 and have been deprecated. Organizations that applied these hotfixes must still upgrade to the specified patch releases.

Impact and Recommendations

Given that Cisco ISE plays a central role in network access control, managing user and device access to corporate networks, a compromise could grant attackers unrestricted access to internal systems, bypassing authentication and logging mechanisms. Security teams should also enhance monitoring for suspicious API activity or unauthorized file uploads, particularly in externally exposed deployments.

This incident underscores the critical importance of continuous education and specialized training in vulnerability management and incident response for cybersecurity teams. Organizations need to be prepared to quickly assess, prioritize, and remediate such high-severity vulnerabilities.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources:

• Cisco Alerts on ISE RCE Vulnerability Actively Exploited, GBHackers News.

• Cisco Confirms Active Exploits Targeting ISE Flaws Enabling Unauthenticated Root Access, The Hacker News.

• Critical Cisco ISE Vulnerabilities Demand Immediate Attention, cbs4indy.com.

• Cisco Warns of Identity Services Engine RCE Vulnerability Exploited in the Wild, CyberSecurityNews.