On July 23, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) highlighted ongoing active attacks exploiting critical vulnerabilities in Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC), enabling unauthenticated attackers to gain root access on affected systems. These flaws, rated with maximum CVSS scores of 10.0, allow remote code execution (RCE) without credentials, posing severe risks to network authentication and authorization infrastructures. Cisco confirmed exploitation attempts as early as July 2025, prompting urgent patching advisories. This incident underscores the escalating threats to enterprise networking tools, with potential for widespread compromise in unpatched environments. Below, we detail the vulnerabilities, attack vectors, impacts, and essential mitigation steps.
The affected vulnerabilities are tracked under three CVEs, all stemming from insufficient input validation in APIs:
These issues affect Cisco ISE and ISE-PIC versions prior to the fixed releases. Cisco disclosed the first two on June 25, 2025, and added the third on July 16, 2025, with confirmation of active exploitation following shortly after. CISA included CVE-2025-20337 in its Vulnerability Summary Bulletin for the week of July 14, 2025, flagging it for immediate attention.
Attackers exploit these flaws by sending specially crafted HTTP requests to exposed ISE APIs, requiring no authentication or user interaction. For CVE-2025-20281 and CVE-2025-20337, the vector involves malformed API calls that trigger RCE. CVE-2025-20282 allows file uploads leading to command execution. Exploitation has been observed in the wild since at least July 2025, with Cisco noting attempts but withholding details on threat actors or scale to avoid aiding attackers.These attacks target internet-exposed ISE deployments, common in enterprise networks for policy enforcement and access control. No specific indicators of compromise (IOCs) have been released, but suspicious API activity or unauthorized file uploads in logs may signal breaches.
Successful exploitation grants attackers root privileges, enabling full system control, credential theft, lateral movement, and persistent backdoors. This could bypass ISE's core functions like authentication and endpoint profiling, exposing sensitive network segments. In critical infrastructure, it risks operational disruptions or data exfiltration. The scope remains unclear, but unpatched systems face high risk, especially amid rising supply chain and enterprise attacks in 2025.
Cisco updated its advisory on July 21, 2025, confirming exploitation and recommending upgrades to fixed versions. No workarounds exist, as disabling affected APIs could impair functionality. CISA's inclusion in its weekly bulletin emphasizes the need for federal agencies and critical infrastructure to prioritize remediation.
To protect against these threats:
Organizations should consult Cisco's advisory for fixed versions and test patches in staging environments. As attacks continue, swift action is critical to prevent root-level breaches in network security infrastructure. For updates, monitor CISA's bulletins and Cisco's security center.