Cisco has disclosed two critical vulnerabilities CVE-2025-20281 and CVE-2025-20282 affecting its Identity Services Engine (ISE) and Passive Identity Connector (ISE-PIC).

These vulnerabilities allow unauthenticated, remote attackers to execute arbitrary commands on the underlying operating system with root privileges. The first flaw CVE-2025-20281 impacts ISE versions 3.3 and later, while the second CVE-2025-20282 is limited to version 3.4.

Summary 

OEM	Cisco
Severity	Critical
CVSS Score	10.0
CVEs	CVE-2025-20281, CVE-2025-20282
POC Available	No
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview 

Cisco has disclosed two critical vulnerabilities CVE-2025-20281 and CVE-2025-20282 affecting its Identity Services Engine (ISE) and Passive Identity Connector (ISE-PIC).

These vulnerabilities allow unauthenticated, remote attackers to execute arbitrary commands on the underlying operating system with root privileges. The first flaw CVE-2025-20281 impacts ISE versions 3.3 and later, while the second CVE-2025-20282 is limited to version 3.4.

Both issues stem from insecure API implementations that fail to validate user input and uploaded files respectively.  

Given the critical nature of these bugs both scoring CVSS 9.8 & 10.0 Cisco has issued immediate fixes, with no workarounds available. Organizations using the affected versions are urged to apply the patches without delay. 

Vulnerability Name	CVE ID	Product Affected	Severity	Fixed Version
​API Unauthenticated RCE vulnerability	CVE-2025-20281	ISE & ISE-PIC	Critical	3.3 Patch 6, 3.4 Patch 2
Internal API Arbitrary File Execution vulnerability	CVE-2025-20282	ISE & ISE-PIC	Critical	3.4 Patch 2

Technical Summary 

Two independent vulnerabilities allow an attacker to gain full control over affected Cisco ISE systems without authentication: 

• CVE-2025-20281: Triggered via crafted requests to a public API, exploiting insufficient input validation to achieve RCE as root. 

• CVE-2025-20282: Abuses an internal API that lacks file validation, enabling the upload and execution of malicious files in privileged directories. 

These vulnerabilities align with CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) and CWE-269 (Improper Privilege Management). 

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-20281	Cisco ISE & ISE-PIC 3.3 and later	Insufficient validation in a public API allows remote attackers to send crafted requests, leading to unauthenticated command execution as the root user.	Remote code execution
CVE-2025-20282	Cisco ISE & ISE-PIC 3.4 only	An internal API fails to validate uploaded files. Attackers can upload files to system directories and execute them with root privileges.	Remote code execution

Remediation: 

Cisco has released patches for affected versions of ISE and ISE-PIC. There are no known workarounds, and customers are strongly encouraged to apply the following updates: 

Cisco ISE / ISE-PIC Version	CVE-2025-20281 Fixed In	CVE-2025-20282 Fixed In
3.2 and earlier	Not affected	Not affected
3.3	3.3 Patch 6	Not affected
3.4	3.4 Patch 2	3.4 Patch 2

Conclusion: 
These vulnerabilities represent a severe risk to network security infrastructure, particularly because they impact Cisco ISE a cornerstone for identity and access control in many enterprises. The unauthenticated remote nature of the exploits, combined with root-level access and no required user interaction, significantly increases the threat surface.  

Although Cisco’s PSIRT has stated that there are no known instances of public exploitation, the ease of exploitation and severity (CVSS 10.0) make these vulnerabilities highly attractive to threat actors. Organizations should immediately apply the available patches and review their system logs for any signs of suspicious activity targeting ISE infrastructure. 

References: 

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6 

• https://cybersecuritynews.com/cisco-ise-rce-vulnerability/