Critical Credential Reuse Vulnerability in Cisco ISE Cloud Deployments
Summary
| OEM | Cisco |
| Severity | Critical |
| CVSS Score | 9.9 |
| CVEs | CVE-2025-20286 |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
Cisco has disclosed a critical vulnerability in Identity Services Engine (ISE) cloud deployments that allows unauthenticated remote attackers to gain administrative access across multiple instances due to improperly generated static credentials.
Tracked as CVE-2025-20286, with a CVSS score of 9.9, this flaw affects ISE deployments on AWS, Microsoft Azure, and Oracle Cloud Infrastructure (OCI). Cisco has released hotfixes and announced permanent fixes for impacted versions.
| Vulnerability Name | CVE ID | Product Affected | Severity |
| Cisco ISE Shared Credential Vulnerability | CVE-2025-20286 | Cisco ISE | Critical |
Technical Summary
The vulnerability stems from improper generation of credentials during the setup of Cisco ISE on cloud platforms. Each deployment of the same ISE version on a given platform (eg – AWS 3.1) shares identical static credentials. This oversight enables an attacker to extract credentials from one deployment and reuse them to access others, if network access is available.
This issue is only to cloud-hosted Primary Administration nodes. Traditional on-premises deployments or hybrid setups with local admin nodes are not affected.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-20286 | Cisco ISE 3.1 – 3.4 | Static credentials reused across same-version cloud deployments. Credentials can be extracted from one instance and reused across others on the same cloud platform | Access sensitive data |
Remediation:
Apply Hotfix Immediately: Install the universal hotfix ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz on ISE versions 3.1 to 3.4.
| Cisco ISE Release | Hot Fix | First Fixed Release |
| 3.0 and earlier | Not applicable. | Not affected. |
| 3.1 | ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz | Migrate to a fixed release. |
| This hot fix applies to Releases 3.1 through 3.4. | ||
| 3.2 | ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz | Migrate to a fixed release. |
| This hot fix applies to Releases 3.1 through 3.4. | ||
| 3.3 | ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz | 3.3P8 (November 2025) |
| This hot fix applies to Releases 3.1 through 3.4. | ||
| 3.4 | ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz | 3.4P3 (October 2025) |
| This hot fix applies to Releases 3.1 through 3.4. | ||
| 3.5 | Not applicable. | Planned release (Aug 2025) |
Conclusion:
CVE-2025-20286 presents a severe security risk to organizations using Cisco ISE on public cloud platforms. By exploiting shared static credentials, attackers can potentially move laterally between cloud deployments.
Although no active exploitation has been reported, a proof-of-concept (PoC) exploit is available, heightening the urgency for remediation.
Organizations should apply hotfixes immediately, upgrade to secured versions, and tighten cloud network access policies to mitigate the risk. On-premises and hybrid deployments remain unaffected, offering a safer architectural alternative.
References: