Follow-Up Cisco Updates Advisory with Additional Maximum Severity Unauthenticated RCE in ISE and ISE-PIC (CVE-2025-20337)

On July 16, 2025, Cisco updated its advisory—originally published in late June—to include a third maximum-severity vulnerability affecting Cisco Identity Services Engine (ISE) and ISE-Passive Identity Connector (ISE-PIC), tracked as CVE-2025-20337. All three vulnerabilities allow unauthenticated, remote threat actors to execute arbitrary commands on the underlying operating system with root privileges via exposed APIs.

CVE-2025-20281 and CVE-2025-20337: Stems from insufficient validation of user-supplied input. A threat actor could send a crafted API request to execute arbitrary commands as the root user on an affected system without any credentials needed.

CVE-2025-20282: Caused by missing file validation checks in an internal API, which allows a threat actor to upload files into privileged directories. A successful exploit could lead to arbitrary code execution or root-level access on the device.

Arctic Wolf has not observed exploitation of these vulnerabilities or identified any publicly available proof-of-concept (PoC) exploit. However, given the level of access these vulnerabilities provide and the historical targeting of Cisco products (as noted in CISA’s Known Exploited Vulnerabilities Catalog), threat actors may target these vulnerabilities in the future.

To read the complete article see: Full Article