Cisco Systems has issued a critical security advisory regarding multiple remote code execution (RCE) vulnerabilities in its Identity Services Engine (ISE), which are currently being actively exploited by attackers. These vulnerabilities, identified as CVE-2025-20281, CVE-2025-20282, and CVE-2025-20337, carry the highest possible severity rating with a CVSS score of 10.0, indicating their potential for significant impact.
Overview of the Vulnerabilities
The vulnerabilities affect Cisco ISE and the ISE Passive Identity Connector (ISE-PIC) across various versions:
– CVE-2025-20281: This flaw exists in ISE versions 3.3 and 3.4. It arises from insufficient validation of user-supplied input in a specific API, allowing unauthenticated remote attackers to send crafted API requests that can execute arbitrary operating system commands with root privileges.
– CVE-2025-20282: Present in ISE version 3.4, this vulnerability is due to inadequate file validation in an internal API. Attackers can exploit this by uploading arbitrary files to privileged directories and executing them with root permissions.
– CVE-2025-20337: Also affecting ISE versions 3.3 and 3.4, this vulnerability stems from incomplete request sanitization in a specific API. It enables unauthenticated remote attackers to execute arbitrary code on the underlying operating system as the root user.
Implications of Exploitation
The exploitation of these vulnerabilities poses severe risks to organizations:
– Unauthorized Access: Attackers can gain root-level access to affected systems without needing authentication credentials, potentially compromising the entire network infrastructure.
– Data Breach: With elevated privileges, malicious actors can access sensitive data, leading to data breaches and potential regulatory penalties.
– System Disruption: Attackers can execute arbitrary commands, potentially disrupting critical services and operations.
Cisco’s Response and Recommendations
Cisco has acknowledged the active exploitation of these vulnerabilities and has taken the following actions:
– Patch Releases: Cisco has released patches to address these vulnerabilities. Organizations are urged to apply the following updates immediately:
– For ISE 3.3: Upgrade to Release 3.3 Patch 7.
– For ISE 3.4: Upgrade to Release 3.4 Patch 2.
It’s important to note that earlier patches, such as 3.3 Patch 6 and 3.4 Patch 1, do not fully address all vulnerabilities and should be replaced with the latest updates.
– No Workarounds: Cisco has confirmed that there are no workarounds for these vulnerabilities. Applying the provided patches is the only effective remediation.
Steps for Organizations
Organizations utilizing Cisco ISE should take the following steps to mitigate the risks associated with these vulnerabilities:
1. Immediate Patching: Apply the recommended patches without delay to prevent potential exploitation.
2. System Audits: Conduct thorough audits of ISE deployments to ensure all instances are updated and to identify any signs of compromise.
3. Enhanced Monitoring: Increase monitoring of network traffic and system logs for unusual activities that may indicate exploitation attempts.
4. Incident Response Preparedness: Review and update incident response plans to ensure swift action can be taken in the event of a security breach.
Conclusion
The active exploitation of these critical vulnerabilities in Cisco ISE underscores the importance of prompt and proactive security measures. Organizations must prioritize the application of patches and remain vigilant to safeguard their network infrastructures against potential attacks.
