Full Report
The software defects, which have a maximum-severity rating, do not require authentication and allow remote attackers to execute code arbitrarily on the underlying system. The post Cisco network access security platform vulnerabilities under active exploitation appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Active Exploitation of Cisco ISE/Passive Identity Connector Remote Code Execution Flaws
## CVE Details
- CVE ID: CVE-2025-20281, CVE-2025-20337, CVE-2025-20282
- CVSS Score: 10.0 (Critical) for all three listed
- CWE: Not explicitly listed, but based on description, likely related to Injection or Improper Access Control leading to RCE.
## Affected Systems
- Products: Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector.
- Versions: Specific vulnerable versions are not listed in the summary but are detailed in the vendor advisory (which should be referenced).
- Configurations: No specific configuration details are provided, but the attack is remote.
## Vulnerability Description
A pair of vulnerabilities (CVE-2025-20281 and CVE-2025-20337) affecting Cisco ISE and the Passive Identity Connector allow an unauthenticated, remote attacker to execute arbitrary code on the underlying system with root privileges. A third critical vulnerability (CVE-2025-20282) exists in the same software suite. The flaws are severe enough to grant full system compromise (root execution).
## Exploitation
- Status: **Active exploitation** confirmed for **CVE-2025-20281** and **CVE-2025-20337**. No awareness of exploitation for CVE-2025-20282 currently.
- Complexity: Low (Implied by ease of remote, unauthenticated execution).
- Attack Vector: Network (Remote).
## Impact
- Confidentiality: High (Root access grants access to sensitive user/network data stored on ISE).
- Integrity: High (Ability to modify system configuration and data).
- Availability: High (Potential for system disruption or complete takeover).
## Remediation
### Patches
- Per Cisco disclosure on June 25 (for the first two) and July 16 (for the third), patches are available. Customers are strongly recommended to upgrade to the fixed software releases documented in the respective security advisories.
### Workarounds
- No workarounds are available for these software defects. Immediate patching is required.
## Detection
- Indicators of Compromise: Threat actors interested in ISE target its visibility capabilities (logging) and role as a repository for all organization users for further network pivoting.
- Detection Methods and Tools: Organizations should review logs for anomalous activity associated with the exploitation of these specific vulnerabilities, referencing Cisco's advisory for known IoCs or exploitation patterns.
## References
- Vendor Advisory: cisco-sa-ise-unauth-rce-ZAd2GnJ6 (defanged: cisco-sa-ise-unauth-rce-ZAd2GnJ6)
- NVD Link for CVE-2025-20281 (defanged: nvd.nist.gov/vuln/detail/CVE-2025-20281)
- NVD Link for CVE-2025-20337 (defanged: nvd.nist.gov/vuln/detail/CVE-2025-20337)
- NVD Link for CVE-2025-20282 (defanged: nvd.nist.gov/vuln/detail/CVE-2025-20282)