Cisco has identified a critical security vulnerability in its Identity Services Engine (ISE) software, specifically affecting deployments on major cloud platforms such as Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI). This flaw, designated as CVE-2025-20286 with a CVSS score of 9.9, allows unauthenticated remote attackers to access sensitive data and perform administrative operations across multiple cloud deployments due to improperly generated static credentials.
Nature of the Vulnerability
The core issue arises from the method Cisco ISE employs to generate credentials during cloud platform deployments. According to Cisco’s advisory, credentials are improperly generated when Cisco ISE is being deployed on cloud platforms, resulting in different Cisco ISE deployments sharing the same credentials. This means that all instances of the same ISE release on the same cloud platform utilize identical authentication credentials. For example, every deployment of Release 3.1 on AWS shares the same static credentials, while those credentials would differ on Azure deployments or across different software versions.
This design flaw enables attackers who extract credentials from one ISE deployment to potentially access other ISE instances running the same software version on the same cloud platform through unsecured ports.
Affected Systems
The vulnerability impacts Cisco ISE releases 3.1 through 3.4, with specific platform coverage varying by cloud provider:
– AWS Deployments: Vulnerable across versions 3.1, 3.2, 3.3, and 3.4.
– Azure and OCI Deployments: Affected from versions 3.2 through 3.4.
Notably, the vulnerability only affects deployments where the Primary Administration node resides in the cloud; on-premises Primary Administration nodes remain unaffected. Traditional on-premises deployments using ISO or OVA installations from the Cisco Software Download Center, including appliances and virtual machines, are not vulnerable. Additionally, hybrid deployments with all ISE Administrator personas located on-premises and specialized cloud configurations like Azure VMware Solution (AVS) and Google Cloud VMware Engine remain secure.
Discovery and Reporting
The vulnerability was discovered and reported by Kentaro Kawane of GMO Cybersecurity by Ierae. Cisco’s Product Security Incident Response Team (PSIRT) has acknowledged the existence of proof-of-concept exploit code for this vulnerability but reports no awareness of malicious exploitation in the wild.
Mitigation and Patching
Cisco has released a comprehensive hotfix identified as ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz that addresses the vulnerability across all affected versions 3.1 through 3.4. For long-term solutions, the company plans permanent fixes with Release 3.3P8 scheduled for November 2025, Release 3.4P3 for October 2025, and the new 3.5 release planned for August 2025.
Organizations can implement immediate mitigations by configuring Cloud Security Groups to restrict source IP addresses to authorized administrators and using Cisco’s recommended security best practices for cloud deployments.
Recommendations
Given the critical nature of this vulnerability, organizations utilizing Cisco ISE in cloud environments should:
1. Apply the Hotfix Immediately: Deploy the provided hotfix to mitigate the vulnerability across all affected versions.
2. Plan for Permanent Updates: Schedule updates to the forthcoming fixed releases as they become available.
3. Restrict Access: Configure Cloud Security Groups to limit access to the ISE management interface to authorized IP addresses only.
4. Monitor Deployments: Regularly review and monitor ISE deployments for any unauthorized access or anomalies.
By taking these steps, organizations can protect their cloud-based Cisco ISE deployments from potential exploitation and ensure the security of their network access controls.
