Full Report
Cisco has released updates to address two maximum-severity security flaws in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that could permit an unauthenticated attacker to execute arbitrary commands as the root user. The vulnerabilities, assigned the CVE identifiers CVE-2025-20281 and CVE-2025-20282, carry a CVSS score of 10.0 each. A description of the defects is
Analysis Summary
# Vulnerability: Critical Unauthenticated RCE in Cisco ISE and ISE-PIC Leading to Root Access
## CVE Details
- CVE ID: CVE-2025-20281, CVE-2025-20282
- CVSS Score: 10.0 (Critical)
- CWE: Insufficient Input Validation (CVE-2025-20281), Improper Validation of Uploaded File (CVE-2025-20282)
## Affected Systems
- Products: Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC)
- Versions:
- CVE-2025-20281: Releases 3.3 and later
- CVE-2025-20282: Release 3.4
- Configurations: Not specified beyond the product version.
## Vulnerability Description
Two distinct critical vulnerabilities exist, both allowing unauthenticated remote attackers to gain root access:
1. **CVE-2025-20281 (Input Validation Issue):** This vulnerability results from insufficient validation of user-supplied input within an API request. A successful exploit allows an attacker to send a crafted API request to achieve elevated privileges and execute arbitrary code as the `root` user on the underlying operating system.
2. **CVE-2025-20282 (File Validation Issue):** This vulnerability stems from a lack of file validation checks, allowing an attacker to upload arbitrary files to an affected device and execute those files in privileged directories, leading to the execution of arbitrary code as the `root` user.
## Exploitation
- Status: No evidence of exploitation in the wild found (but immediate patching is advised).
- Complexity: Implied Low (due to unauthenticated remote nature, though specific exploit details are abstract).
- Attack Vector: Network (Remote)
## Impact
- Confidentiality: High (Root access allows compromise of all system data)
- Integrity: High (Root access allows modification or destruction of system files and settings)
- Availability: High (Root access allows system denial of service or complete compromise)
## Remediation
### Patches
The following patches address the identified vulnerabilities:
* **For CVE-2025-20281:**
* Cisco ISE/ISE-PIC 3.3 Patch 6 (Package: `ise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gz`)
* Cisco ISE/ISE-PIC 3.4 Patch 2 (Package: `ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz`)
* **For CVE-2025-20282:**
* Cisco ISE/ISE-PIC 3.4 Patch 2 (Package: `ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz`)
### Workarounds
- There are **no workarounds** currently available to address these issues.
## Detection
- Detection methods were not explicitly detailed in the summary, but standard network monitoring and endpoint detection tools should focus on:
- Unusual remote API calls targeting Cisco ISE/ISE-PIC services.
- Unexpected file creations or executions in system directories on the affected servers.
## References
- Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6