Cisco Confirms Active Exploits Targeting ISE Flaws Enabling Unauthenticated Root Access

Jul 22, 2025Ravie LakshmananNetwork Security / Vulnerability

Cisco on Monday updated its advisory of a set of recently disclosed security flaws in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) to acknowledge active exploitation.

“In July 2025, the Cisco PSIRT [Product Security Incident Response Team], became aware of attempted exploitation of some of these vulnerabilities in the wild,” the company said in an alert.

The network equipment vendor did not disclose which vulnerabilities have been weaponized in real-world attacks, the identity of the threat actors exploiting them, or the scale of the activity.

Cisco ISE plays a central role in network access control, managing which users and devices are allowed onto corporate networks and under what conditions. A compromise at this layer could give attackers unrestricted access to internal systems, bypassing authentication controls and logging mechanisms—turning a policy engine into an open door.

The vulnerabilities outlined in the alert are all critical-rated bugs (CVSS scores: 10.0) that could allow an unauthenticated, remote attacker to issue commands on the underlying operating system as the root user –

• CVE-2025-20281 and CVE-2025-20337 – Multiple vulnerabilities in a specific API that could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root
• CVE-2025-20282 – A vulnerability in an internal API that could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device and then execute those files on the underlying operating system as root

While the first two flaws are the result of insufficient validation of user-supplied input, the latter stems from a lack of file validation checks that would prevent uploaded files from being placed in privileged directories on an affected system.

As a result, an attacker could leverage these shortcomings by submitting a crafted API request (for CVE-2025-20281 and CVE-2025-20337) or uploading a crafted file to the affected device (for CVE-2025-20282).

In light of active exploitation, it’s essential that customers upgrade to a fixed software release as soon as possible to remediate these vulnerabilities. These flaws are exploitable remotely without authentication, placing unpatched systems at high risk of pre-auth remote code execution—a top-tier concern for defenders managing critical infrastructure or compliance-driven environments.

Security teams should also review system logs for suspicious API activity or unauthorized file uploads, especially in externally exposed deployments.