On June 25, 2025, Cisco disclosed two critical vulnerabilities affecting Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC). Tracked as CVE-2025-20281 and CVE-2025-20282, these flaws enable unauthenticated remote attackers to execute arbitrary commands as the root user via exposed HTTPS APIs. CVE-2025-20281 arises from insufficient validation of user-supplied input in a public API, allowing crafted requests to trigger remote code execution. CVE-2025-20282 results from inadequate file validation in an internal API, enabling attackers to upload and execute malicious files within privileged directories.
While Cisco has stated that no in-the-wild exploitation has been confirmed to date, the vulnerabilities are simple to exploit and pose a severe risk to organizations using Cisco ISE and ISE-PIC in enterprise and government environments (Cisco, 2025; The Hacker News, 2025).
Vulnerability Type (CWE)
- CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’)
CVSS Score
Base Score: 10.0 (Critical)
Attack Vector: Network (remote exploitation over HTTPS APIs)
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Changed (compromise impacts underlying OS)
Impact on CIA:
- Confidentiality: High
- Integrity: High
- Availability: High
(Cisco, 2025)
Impacted Versions and Mitigation
| Affected Cisco ISE/ISE-PIC Version | Vulnerable To | Required Action |
|---|---|---|
| 3.4 | CVE-2025-20281CVE-2025-20282 | Upgrade to Patch 2 |
| 3.3 | CVE-2025-20281 | Upgrade to Patch 6 |
Please note: 3.2 and earlier releases of Cisco ISE or ISE-PIC are not vulnerable to CVE-2025-20281 or CVE-2025-20282.
(SOCRadar, 2025; Cisco, 2025; Arctic Wolf, 2025; Cisco, 2025)
Exploit Process
CVE-2025-20281: API Request RCE
- Initial Request:
- Attacker crafts an HTTP(S) request targeting the vulnerable public API
- Payload Delivery:
- Malicious payload is embedded in the request body, exploiting input validation flaws.
- Command Execution:
- The input is executed on the underlying OS as root, enabling:
- Full system compromise
- Credential theft
- Persistence
- The input is executed on the underlying OS as root, enabling:
CVE-2025-20282: Arbitrary File Upload and Execution
- Initial Upload:
- Attacker sends a specially crafted file to the internal API endpoint.
- Privilege Escalation:
- The upload bypasses directory protections and lands in privileged directories.
- Execution:
- The attacker triggers execution of the uploaded file, gaining root access.
(BleepingComputer, 2025; SOCRadar, 2025)
Timeline
- June 2025: Vulnerabilities privately reported by Trend Micro Zero Day Initiative and GMO Cybersecurity.
- June 25, 2025: Cisco advisory and patches released.
- June 26, 2025: Public disclosure via multiple security vendors.
- As of June 27, 2025: No known in-the-wild exploitation.
(The Hacker News, 2025; Cisco, 2025)
TTPs & IOCs
Tactics, Techniques, and Procedures:
- T1190 – Exploit Public-Facing Application
- T1078 – Valid Accounts (Post-Exploitation Persistence)
- T1105 – Ingress Tool Transfer
Indicators of Compromise:
- Unusual API requests:
- POST /api/v1/… with large payloads
- File uploads to internal endpoints
- Suspicious processes:
- Unexpected binaries or scripts in system directories
- Shell spawns initiated by the
iseprocess
- Network indicators:
- Connections from untrusted or foreign IP addresses to management interfaces
(Cisco, 2025)
Centripetal’s Perspective
The disclosure of CVE-2025-20281 and CVE-2025-20282 underscores the persistent risk posed by unauthenticated API exposures in critical infrastructure platforms. Although no widespread exploitation has been confirmed, the combination of simple exploitation, unauthenticated access, and root-level compromise makes these vulnerabilities particularly severe for enterprise and government environments relying on Cisco ISE as a central trust anchor.
While Centripetal telemetry has not yet identified confirmed threat activity associated with these specific CVEs, historical patterns consistently show that critical Cisco vulnerabilities are rapidly incorporated into Centripetal’s Threat Intelligence. Organizations should assume that proof-of-concept exploits will emerge shortly, and proactively:
- Audit their external attack surface to identify any exposed ISE management interfaces.
- Enforce strict segmentation of administrative APIs from untrusted networks.
- Continuously monitor for anomalous API requests and file upload attempts.
- Accelerate patch deployment across all impacted environments.
This incident highlights the strategic importance of layered defenses, including continuous intelligence, strong segmentation, and policy-driven enforcement, to limit the blast radius of high-impact vulnerabilities in network security infrastructure.
If you are a current client of Cisco please contact support@centripetal.ai.
Centripetal is also pleased to offer Penetration Testing and Vulnerability Assessment services to help organizations identify vulnerabilities and reduce risk. If interested, please contact our Professional Services team at profservs@centripetal.ai or reach out to your Centripetal Account Representative.
Resources
- Cisco Identity Services Engine Unauthenticated Remote Code Execution Vulnerabilities
- Critical RCE Flaws in Cisco ISE and ISE-PIC Allow Unauthenticated Attackers to Gain Root Access
- Critical Cisco ISE Vulnerabilities Allow Root-Level RCE
- Cisco warns of max severity RCE flaws in Identity Services Engine
