Cisco confirms active exploitation of ISE and ISE-PIC flaws
July 22, 2025 
Cisco warns of active exploits targeting Identity Services Engine (ISE) and ISE-PIC flaws, first observed in July 2025.
Cisco confirmed attempted exploitation in the wild of recently disclosed ISE and ISE-PIC flaws (CVE-2025-20281, CVE-2025-20282, CVE-2025-20337), updating its advisory after detecting attacks in July 2025.
“Multiple vulnerabilities in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an unauthenticated, remote attacker to issue commands on the underlying operating system as the root user.” reads the advisory. “In July 2025, the Cisco PSIRT became aware of attempted exploitation of some of these vulnerabilities in the wild. Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate these vulnerabilities.”
In June, Cisco addressed the critical vulnerabilities CVE-2025-20281 and CVE-2025-20282 in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that could allow remote, unauthenticated attackers to execute arbitrary code with root privileges.
“Multiple vulnerabilities in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an unauthenticated, remote attacker to issue commands on the underlying operating system as the root user.” reads the advisory.
CVE-2025-20281 (CVSS score of 10) affects Cisco ISE/ISE-PIC 3.3+, while CVE-2025-20282 (CVSS score of 10) impacts only version 3.4. Versions outside these ranges are not impacted.
CVE-2025-20281 is a critical flaw in Cisco ISE/ISE-PIC allowing unauthenticated remote attackers to execute code as root via a vulnerable API.
“This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request.” continues the advisory. “A successful exploit could allow the attacker to obtain root privileges on an affected device.”
The second flaw, tracked as CVE-2025-20282, is a critical issue in Cisco ISE/ISE-PIC allowing unauthenticated remote attackers to upload and execute files as root via an internal API.
“This vulnerability is due a lack of file validation checks that would prevent uploaded files from being placed in privileged directories on an affected system. An attacker could exploit this vulnerability by uploading a crafted file to the affected device.” reads the advisory. “A successful exploit could allow the attacker to store malicious files on the affected system and then execute arbitrary code or obtain root privileges on the system.”
Last week, Cisco addressed the critical vulnerability CVE-2025-20337 (CVSS score of 10) in Identity Services Engine (ISE) and Cisco Identity Services Engine Passive Identity Connector (ISE-PIC). An attacker could trigger the vulnerability to execute arbitrary code on the underlying operating system with root privileges.
“Multiple vulnerabilities in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an unauthenticated, remote attacker to issue commands on the underlying operating system as the root user.” reads the report published by the IT giant.
The vulnerability CVE-2025-20337 is similar to CVE-2025-20281.
Cisco did not share details about the attacks exploiting the flaws and the threat actors behind them.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Identity Services Engine)