Full Report
A critical vulnerability (CVE-2025-20337) in Cisco's Identity Services Engine (ISE) could be exploited to let an unauthenticated attacker store malicious files, execute arbitrary code, or gain root privileges on vulnerable devices. [...]
Analysis Summary
# Vulnerability: Critical Pre-Authentication Command Execution in Cisco ISE
## CVE Details
- CVE ID: *Information not explicitly provided for the critical vulnerability described first, only the remediation.* **(Note: The article highlights a "Max severity" bug allowing pre-auth command execution but does not immediately list its CVE ID or CVSS score in the summarized snippet. We will use CVEs listed later for context where applicable.)**
- CVSS Score: *Not explicitly provided for the primary vulnerability.*
- CWE: *Not explicitly provided.*
## Affected Systems
- Products: Cisco Identity Services Engine (ISE)
- Versions: *Versions affected by the main critical bug are not explicitly detailed preceding the fix information.*
- Configurations: *Not specified.*
## Vulnerability Description
A high-severity vulnerability exists in Cisco ISE that allows a remote, unauthenticated attacker to upload and execute malicious files, potentially leading to **root-level command execution**.
*(Note: The article jumps directly to the fix for the critical bug, referencing fixes applied to versions $12.5(1) SU \text{ ES}05$ and $12.6(2) \text{ ES}05$, which likely pertain to this critical flaw, though the description ties these fixes to a different CVE context initially.)*
## Exploitation
- Status: Highly likely targeted/exploited given the "Max severity" rating and immediate patching call. Exploitation allows for root access.
- Complexity: *Not specified, but pre-authentication suggests low complexity.*
- Attack Vector: Network
## Impact
- Confidentiality: High (Potential root access)
- Integrity: High (Potential root access and modification of system files)
- Availability: High (Potential system compromise/denial of service)
---
*The summary below includes details for other listed vulnerabilities found in the provided context, as the main vulnerability's CVE was missing.*
---
## Remediation
### Patches (For other listed vulnerabilities derived from the advisory context)
The following versions address the specified vulnerabilities:
* **Critical RCE Fix (Implied):** Versions 12.5(1) SU ES05 and 12.6(2) ES05.
* **CVE-2025-20272 (Blind SQLi):** Cisco Prime Infrastructure 3.10.6 SU2 and EPNM versions 8.0.1 and 8.1.1.
* **CVE-2025-20283, CVE-2025-20284, CVE-2025-20285 (ISE/ISE-PIC):** ISE versions 3.3 Patch 7 and 3.4 Patch 2.
* **CVE-2025-20288 (SSRF):** Versions 12.5(1) SU ES05 and 12.6(2) ES05.
### Workarounds
- No specific workarounds for the critical pre-authentication RCE were detailed in the provided snippet. Organizations are strongly urged to apply the patches immediately.
## Detection
- Indicators of Compromise (IOCs) related to file uploads or execution of arbitrary commands as the root user should be investigated on affected ISE deployments.
- Detection methods would specifically involve monitoring ingress traffic patterns matching the exploit vector prior to authentication and checking for unauthorized files uploaded to the system.
## References
- Vendor advisories: [cisco-sa-multi-3VpsXOxO](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-multi-3VpsXOxO) (Covers CVE-2025-20283, 20284, 20285)
- Vendor advisories: [cisco-sa-ise-rce-u8P2Q3jX](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-rce-u8P2Q3jX) (Likely the main critical vulnerability mentioned)
- Vendor advisories: [cisco-sa-cuis-ssrf-JSuDjeV](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cuis-ssrf-JSuDjeV) (Covers CVE-2025-20288)