Cisco

Critical Credential Reuse Vulnerability in Cisco ISE Cloud Deployments

Summary

OEM	Cisco
Severity	Critical
CVSS Score	9.9
CVEs	CVE-2025-20286
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview

Cisco has disclosed a critical vulnerability in Identity Services Engine (ISE) cloud deployments that allows unauthenticated remote attackers to gain administrative access across multiple instances due to improperly generated static credentials.

Tracked as CVE-2025-20286, with a CVSS score of 9.9, this flaw affects ISE deployments on AWS, Microsoft Azure, and Oracle Cloud Infrastructure (OCI). Cisco has released hotfixes and announced permanent fixes for impacted versions.

Vulnerability Name	CVE ID	Product Affected	Severity
Cisco ISE Shared Credential Vulnerability	CVE-2025-20286	Cisco ISE	Critical

Technical Summary

The vulnerability stems from improper generation of credentials during the setup of Cisco ISE on cloud platforms. Each deployment of the same ISE version on a given platform (eg – AWS 3.1) shares identical static credentials. This oversight enables an attacker to extract credentials from one deployment and reuse them to access others, if network access is available.

This issue is only to cloud-hosted Primary Administration nodes. Traditional on-premises deployments or hybrid setups with local admin nodes are not affected.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-20286	Cisco ISE 3.1 – 3.4	Static credentials reused across same-version cloud deployments. Credentials can be extracted from one instance and reused across others on the same cloud platform	Access sensitive data

Remediation:

Apply Hotfix Immediately: Install the universal hotfix ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz on ISE versions 3.1 to 3.4.

Cisco ISE Release	Hot Fix	First Fixed Release
3.0 and earlier	Not applicable.	Not affected.
3.1	ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz	Migrate to a fixed release.
	This hot fix applies to Releases 3.1 through 3.4.
3.2	ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz	Migrate to a fixed release.
	This hot fix applies to Releases 3.1 through 3.4.
3.3	ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz	3.3P8 (November 2025)
	This hot fix applies to Releases 3.1 through 3.4.
3.4	ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz	3.4P3 (October 2025)
	This hot fix applies to Releases 3.1 through 3.4.
3.5	Not applicable.	Planned release (Aug 2025)

Conclusion:
CVE-2025-20286 presents a severe security risk to organizations using Cisco ISE on public cloud platforms. By exploiting shared static credentials, attackers can potentially move laterally between cloud deployments.

Although no active exploitation has been reported, a proof-of-concept (PoC) exploit is available, heightening the urgency for remediation.

Organizations should apply hotfixes immediately, upgrade to secured versions, and tighten cloud network access policies to mitigate the risk. On-premises and hybrid deployments remain unaffected, offering a safer architectural alternative.

References:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-aws-static-cred-FPMjUcm7

https://cybersecuritynews.com/cisco-ise-credential-vulnerability/

CISCO ISE & UIC Security Flaws Allow DoS, Privilege Escalation

Summary: Cisco has disclosed multiple vulnerabilities affecting its Identity Services Engine (ISE) and Unified Intelligence Center (UIC).

The ISE bug, tracked as CVE-2025-20152, impacts the RADIUS message processing feature and could be exploited remotely, without authentication, to cause ISE to reload, leading to a denial of service (DoS) condition.

OEM	CISCO
Severity	HIGH
CVSS Score	8.6
CVEs	CVE-2025-20152, CVE-2025-20113, CVE-2025-20114
Actively Exploited	No
Exploited in Wild	No
Advisory Version	1.0

Overview

This include a critical denial-of-service (DoS) vulnerability in the RADIUS protocol processing (CVE-2025-20152) and two privilege escalation flaws (CVE-2025-20113, CVE-2025-20114).

These unpatched issues, could result in network disruption and unauthorized access to sensitive data.

Vulnerability Name	CVE ID	Product Affected	Severity	Fixed Version
RADIUS DoS Vulnerability	CVE-2025-20152	Cisco Identity Services Engine	High	ISE 3.4 Patch 1 (3.4P1)
Privilege Escalation Vulnerability	CVE-2025-20113	Unified Intelligence Center	High	UIC 12.5(1)SU ES04, 12.6(2)ES04
Privilege Escalation Vulnerability	CVE-2025-20114	Unified Intelligence Center	High	UIC 12.5(1)SU ES04, 12.6(2)ES04

Technical Summary

The vulnerabilities identified in ISE and UIC products are critical and the allow an authenticated attacker to elevate their privileges to those of an administrator, for a limited set of functions on a vulnerable system by potentially accessing or manipulating unauthorized data.

Medium-severity bugs were also resolved in Webex, Webex Meetings, Secure Network Analytics Manager, Secure Network Analytics Virtual Manager, ISE, Duo, Unified Communications and Contact Center Solutions, and Unified Contact Center Enterprise (CCE).

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-20152	CISCO ISE 3.4	Improper handling of malformed RADIUS authentication requests can cause a system reload.	Denial of Service (DoS), Network Disruption
CVE-2025-20113	Unified Intelligence Center 12.5, 12.6	Insufficient server-side validation in API/HTTP requests may allow an authenticated attacker to escalate privileges to Admin level for certain functions.	Privilege Escalation, Unauthorized Data Access
CVE-2025-20114	Unified Intelligence Center 12.5, 12.6	Insufficient input validation in API allows IDOR attacks, enabling attackers to access data of other users.	Horizontal Privilege Escalation, Data Exposure

Remediation:

Cisco has released security updates to address these vulnerabilities:

For CVE-2025-20152 (Cisco ISE):

Upgrade to ISE 3.4P1 or later. No workarounds exist; RADIUS services are enabled by default, making immediate patching critical.

For CVE-2025-20113 and CVE-2025-20114 (UIC):

Upgrade to:

UIC 12.5(1)SU ES04 or later.
- UIC 12.6(2)ES04 or later.
- Unified CCX users should migrate to a fixed release if using affected versions.

Administrators are advised to verify product versions and apply patches through official Cisco channels.

Conclusion:
These vulnerabilities pose significant security risks especially CVE-2025-20152, which affects the core authentication protocol in many Cisco ISE deployments.

Organizations should prioritize updates to mitigate risks of denial-of-service attacks and unauthorized data access. No exploitation in the wild has been observed so far, but given the critical nature, immediate action is strongly recommended.

References:

FBI Warns End-of-Life Routers Exploited in Active Botnet and Proxy Campaigns

Summary

The FBI issued an alert warning of ongoing exploitation of 13 EOL Linksys/Cisco routers by cybercriminal groups operating the 5Socks and Anyproxy services.

The threat actors are using known vulnerabilities in outdated firmware to install malware, hijack routers, and leverage them as part of a botnet or proxy service used to mask malicious activities.

The malware establishes persistent access via regular communication with a command & control (C2) server, and affected devices are being rented out to other criminals.

The FBI strongly recommends replacing EOL devices with with newer and actively supported model or at least disabling remote management features immediately.

Technical Details

Attack Overview

Entry Point: Remote administration services exposed to the Internet.

Authentication Bypass: Attackers bypass password protection to gain shell/root access.

Malware Capabilities:

Maintains persistent presence through C2 check-ins every 60 seconds to 5 minutes.

Opens ports to act as proxy relays.

Enables the sale of infected routers as “proxy-as-a-service” infrastructure.

Confirmed Vulnerable Devices

The FBI has identified the following end-of-life (EOL) routers from Cisco and Linksys as actively targeted in these campaigns:

E1200

E2500

E1000

E4200

E1500

E300

E3200

WRT320N

E1550

WRT610N

E100

WRT310N

Indicators of Compromise (IOCs)

Since the malware is router-based, it is difficult for an end user to know if their device is compromised due to the inability of antivirus tools to scan these devices.

Below is a list of files associated with the malware’s router exploitation campaign:

Name	Hash
0_forumdisplay-php_sh_gn-37-sh	661880986a026eb74397c334596a2762
1_banana.gif_to_elf_t	62204e3d5de02e40e9f2c51eb991f4e8
2_multiquote_off.gif_to_elf_gn-p_forward- hw-data-to-exploit-server	9f0f0632b8c37746e739fe61f373f795
3_collapse_tcat_gif_sh_s3-sh	22f1f4c46ac53366582e8c023dab4771
4_message_gif_to_elf_k	cffe06b0adcc58e730e74ddf7d0b4bb8
5_viewpost_gif_to_elf_s	084802b4b893c482c94d20b55bfea47d
6_vk_gif_to_elf_b	e9eba0b62506645ebfd64becdd4f16fc
7_slack_gif_DATA	41e8ece38086156959804becaaee8985
8_share_gif_DATA	1f7b16992651632750e7e04edd00a45e
banana.gif-upx	2667a50869c816fa61d432781c731ed2
message.gif-upx	0bc534365fa55ac055365d3c31843de7

Recommended Mitigations:

Replace Vulnerable Devices: Immediately replace EOL routers with models still supported by vendors and receiving firmware/security updates.

Disable Remote Administration: Turn off any form of remote management via web, SSH, or Telnet.

Reboot Compromised Devices: This can temporarily disrupt malware persistence, though not permanently remove it.

Network Segmentation: Isolate critical devices from consumer routers or IoT networks.

Implement Monitoring Tools: Use firewalls or network sensors that detect unusual traffic or device behavior.

“End of life routers were breached by cyber actors using variants of TheMoon malware botnet,” reads the FBI bulletin.

“Recently, some routers at end of life, with remote administration turned on, were identified as compromised by a new variant of TheMoon malware. This malware allows cyber actors to install proxies on unsuspecting victim routers and conduct cyber crimes anonymously.”

References:

https://www.usatoday.com/story/tech/2025/05/09/linksys-internet-routers-cyberattack-fbi/83537973007/

https://www.ic3.gov/CSA/2025/250507.pdf

High-Severity DoS Vulnerability in Cisco NX-OS Software

MPLS Encapsulated IPv6 Denial of Service Vulnerability

OEM	CISCO
Severity	High
CVSS score	7.4
CVEs	CVE-2025-20111
Exploited in Wild	No
Patch/Remediation Available	Yes
Advisory Version	1.0

Overview

A high-severity vulnerability (CVE-2025-20111) in Cisco Nexus 3000 and 9000 Series Switches operating in standalone NX-OS mode could allow unauthenticated attackers to trigger a denial-of-service (DoS) condition by sending crafted ethernet frames, leading to unexpected device reloads.

Vulnerability Name	CVE ID	Product Affected	Severity
Denial of service vulnerability	CVE-2025-20111	Cisco Nexus	High

Technical Summary

The vulnerability originates from improper handling of specific Ethernet frames within the health monitoring diagnostics of Cisco Nexus switches.

An unauthenticated, adjacent attacker can exploit this flaw by sending a sustained rate of crafted Ethernet frames to a vulnerable device. Successful exploitation results in repeated device reloads, disrupting network operations and potentially impacting high-availability environments.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-20111	Nexus 3000 Series: 3100, 3200, 3400, and 3600 models Nexus 9000 Series: 9200, 9300, and 9400 switches running standalone NX-OS	Improper handling of specific Ethernet frames in health monitoring diagnostics	Repeated device reboots, potential network downtime

Remediation:

Apply Software Updates: Cisco has released patched software versions to address the vulnerability. Network administrators should upgrade affected devices immediately.

Use Cisco Software Checker: Organizations should verify their exposure using Cisco’s Software Checker tool to identify the earliest fixed release.

Implement Workarounds: If immediate patching is not feasible, organizations can mitigate risks using Access Control Lists (ACLs) to filter anomalous Ethernet frames targeting the health monitoring subsystem.

Conclusion:

CVE-2025-20111 presents a significant risk to enterprise and data center networks relying on Cisco Nexus switches. While there is no known active exploitation, organizations should prioritize patching and mitigation strategies to prevent service disruptions. Proactive monitoring and adherence to Cisco’s security advisories will help ensure network resilience against potential exploitation.

References:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-n3kn9k-healthdos-eOqSWK4g

https://cybersecuritynews.com/cisco-nexus-switches-vulnerability-dos/

https://nvd.nist.gov/vuln/detail/CVE-2025-20111

Cisco Meeting Management to Prone to Attack Vectors; Vulnerability CVE-2025-20156

Cisco has warned about a new privilege escalation vulnerability in its Meeting Management tool that could allow a remote attacker to gain administrator privileges on exposed instances.

The vulnerability, CVE-2025-20156 was disclosed by Cisco on January 22 and is awaiting further analysis by the US National Vulnerability Database (NVD)

OEM	Cisco
Severity	Critical
CVSS	9.9
CVEs	CVE-2025-20156
Exploited in Wild	No
Patch/Remediation Available	Yes
Advisory Version	1.0

Overview

A critical vulnerability (CVE-2025-20156) in Cisco Meeting Management could allow attackers to gain unauthorized administrative access. This issue affects versions prior to 3.9.1 and has been classified as critical. Cisco strongly recommends updating to the latest fixed version to address this risk.

Vulnerability Name	CVE ID	Product Affected	Severity
Privilege Escalation Vulnerability	CVE-2025-20156	Cisco	Critical

Technical Summary

A critical security vulnerability has been identified in Cisco Meeting Management. This flaw resides in the REST API and stems from improper enforcement of authorization protocols for REST API users. Remote, authenticated attackers with low-level privileges can exploit this issue by sending specially crafted API requests to specific endpoints. A successful exploit could allow attackers to escalate their privileges to administrator level and gain control over edge nodes managed by Cisco Meeting Management.

CVE ID	System Affected	Vulnerability Details	Impact
CVE-2025-20156	Cisco Meeting Management prior to version 3.9.1	Insufficient authorization checks in the REST API allow attackers to send crafted API requests to escalate privileges.	Attackers can gain full administrative control and disrupt business operations.

Remediation:

Update to the Latest Version:

Upgrade Cisco Meeting Management to version 3.9.1or later.

Regular Security Practices:

Monitor Cisco’s security advisories.

Regularly update systems to address emerging threats.

Conclusion:

CVE-2025-20156 poses a critical risk to Cisco Meeting Management users. Exploiting this flaw could disrupt operations by granting attacker’s administrative control. Immediate updates are crucial to mitigate the risk and protect affected systems.

References:

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cmm-privesc-uy2Vf8pc

https://cybersecuritynews.com/cisco-meeting-management-vulnerability/

CISCO ISE & UIC Security Flaws Allow DoS, Privilege Escalation

FBI Warns End-of-Life Routers Exploited in Active Botnet and Proxy Campaigns

High-Severity DoS Vulnerability in Cisco NX-OS Software

Cisco Meeting Management to Prone to Attack Vectors; Vulnerability CVE-2025-20156

Recent Posts

Recent Comments

Search

Recent Comments

Recent Posts

Archives