Full Report
Cisco has released updates to address two critical security flaws Identity Services Engine (ISE) that could allow remote attackers to execute arbitrary commands and elevate privileges on susceptible devices. The vulnerabilities are listed below - CVE-2025-20124 (CVSS score: 9.9) - An insecure Java deserialization vulnerability in an API of Cisco ISE that could permit an authenticated, remote
Analysis Summary
# Vulnerability: Critical Remote Command Execution and Privilege Escalation in Cisco ISE
## CVE Details
- CVE ID: CVE-2025-20124 and CVE-2025-20125
- CVSS Score: 9.9 (Critical) for CVE-2025-20124; 9.1 (Critical) for CVE-2025-20125
- CWE: Insecure Deserialization (Implied for CVE-2025-20124)
## Affected Systems
- Products: Cisco Identity Services Engine (ISE)
- Versions:
- Release 3.0 (Needs migration)
- Release 3.1 (Fixed in 3.1P10)
- Release 3.2 (Fixed in 3.2P7)
- Release 3.3 (Fixed in 3.3P4)
- Release 3.4 (Not vulnerable)
- Configurations: Affects API endpoints vulnerable to specific request types.
## Vulnerability Description
**CVE-2025-20124 (CVSS 9.9):** This is an insecure Java deserialization vulnerability within an API of Cisco ISE. A remote, authenticated attacker can exploit this by sending a crafted serialized Java object to an unspecified API endpoint, achieving arbitrary command execution with **root privileges**.
**CVE-2025-20125 (CVSS 9.1):** This is an authorization bypass vulnerability in an API of Cisco ISE. A remote, authenticated attacker with valid **read-only credentials** can exploit this to obtain sensitive information, modify node configurations, and restart the affected node.
## Exploitation
- Status: Not aware of malicious exploitation in the wild, but PoCs likely exist given the critical nature.
- Complexity: Implies **Medium** to **High** complexity due to the requirement of existing authentication (authenticated access needed for both).
- Attack Vector: **Network** (Remote attacker accessing APIs).
## Impact
| Vulnerability | Confidentiality | Integrity | Availability |
| :--- | :--- | :--- | :--- |
| CVE-2025-20124 (RCE) | High (Full control) | High (Full control) | High (System compromise/restart) |
| CVE-2025-20125 (Auth Bypass) | High (Sensitive Info Disclosure) | High (Configuration Change) | High (Node Restart) |
## Remediation
### Patches
The following fixed releases are available:
- Cisco ISE software release 3.1P10
- Cisco ISE software release 3.2P7
- Cisco ISE software release 3.3P4
- Systems running Release 3.0 are advised to migrate to a fixed release.
- Release 3.4 is not affected.
### Workarounds
- No workarounds are available to mitigate these flaws. Immediate patching is necessary for mitigation.
## Detection
- Detection information was not detailed in the summary. Look for unusual API interaction patterns, especially those involving serialized Java objects or unexpected configuration changes originating from read-only user contexts.
## References
- Vendor Advisory: defanged.sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-multivuls-FTW9AOXF