Unauthenticated access granted: Researchers claim a vulnerability in Cisco ISE granted root access before remedy implementation.

Unauthenticated access granted: Researchers claim a vulnerability in Cisco ISE granted root access before remedy implementation.

Newly Patched Vulnerability in Cisco's Identity Services Engine Actively Exploited

A critical vulnerability, CVE-2025-20281, in Cisco's Identity Services Engine (ISE) is currently being actively exploited by unauthenticated remote attackers. This vulnerability allows attackers to execute arbitrary commands with root privileges on affected devices, granting them full control over Cisco ISE devices without the need for authentication.

Who is Exploiting CVE-2025-20281?

The United States Cybersecurity and Infrastructure Security Agency (CISA) has reported that hackers are actively exploiting this vulnerability alongside another critical vulnerability, CVE-2025-20337, in Cisco ISE products. Cisco became aware of reported attempted exploitation on July 21, 2025, and has confirmed active exploitation attempts since then. While specific threat actor groups have not been publicly named, these attacks are carried out by unauthenticated remote attackers.

Known Attack Details

The attacks involve sending crafted API requests to vulnerable Cisco ISE/ISE-PIC versions (3.3.x and 3.4.x), exploiting insufficient input validation. Successful exploitation results in remote code execution as root, granting full control over the device. There are no workarounds; only upgrading to fixed software releases mitigates the vulnerability.

Summary Table of Key Facts

| Aspect | Details | |--------------------------------|------------------------------------------------------| | Affected Software | Cisco Identity Services Engine 3.3.x and 3.4.x versions | | Vulnerability Type | Remote code execution due to insufficient input validation in an API | | Exploitation Method | Crafted API requests by unauthenticated attackers | | Impact | Full root-level access on affected Cisco ISE devices | | Active Exploitation Confirmed | Yes, since at least July 21, 2025 | | Known Exploit Availability | Attempts detected; no public PoC confirmed yet (as of July 2025) | | Available Mitigation | Upgrade to patched Cisco ISE versions |

Important Notes

• CISA has listed CVE-2025-20281 in its Known Exploited Vulnerabilities (KEV) catalog, urging organizations to patch immediately.
• Cisco strongly recommends upgrading to fixed releases since there are no effective workarounds.
• Security firms like Arctic Wolf have not observed public exploits but acknowledge the high risk due to previous historical targeting of Cisco products and the severity of these flaws.

In conclusion, CVE-2025-20281 is being actively exploited by unauthenticated remote attackers targeting Cisco ISE devices via crafted API requests leading to root code execution. Organizations running affected versions should urgently deploy Cisco’s patches to prevent compromise.

1. The actively exploited CVE-2025-20281 vulnerability in Cisco's Identity Services Engine (ISE) allows attackers to execute arbitrary commands with root privileges, granting them full control over the devices without authentication.
2. Security firms like Arctic Wolf have recognized the high risk posed by CVE-2025-20281 due to previous historical targeting of Cisco products and the severity of these flaws, even though no public exploits have been observed so far.
3. The critical vulnerability, CVE-2025-20281, is currently being actively exploited alongside another critical vulnerability, CVE-2025-20337, in Cisco ISE products, and these attacks are carried out by unauthenticated remote attackers.
4. CISA has listed CVE-2025-20281 in its Known Exploited Vulnerabilities (KEV) catalog, urging organizations to patch immediately to protect their data and cloud computing infrastructure, which is a crucial part of the technology and finance sectors.
5. Investments in cybersecurity and AI technologies are increasingly important for businesses to address challenges like the active exploitation of CVE-2025-20281, as IoT devices are integral components of numerous networking systems.
6. Keeping software up to date and applying necessary patches is crucial for maintaining security in the rapidly evolving IT industry, as unpatched vulnerabilities like CVE-2025-20281 can lead to significant data breaches and other security incidents.
7. Cisco strongly recommends upgrading to fixed releases since there are no effective workarounds for CVE-2025-20281, and organizations running affected versions should urgently deploy Cisco’s patches to prevent compromise and assure business continuity.

Read also: