Hackers Actively Target Cisco ISE in Ongoing RCE Exploits
Cisco Confirms Active Exploitation of Three Critical ISE Vulnerabilities
Cisco has issued a new warning confirming that three recently patched remote code execution vulnerabilities in its Identity Services Engine (ISE) are now being actively exploited.
Critical Flaws Now Under Attack
In an updated advisory, Cisco’s Product Security Incident Response Team (PSIRT) confirmed that all three vulnerabilities—CVE-2025-20281, CVE-2025-20282, and CVE-2025-20337—are being targeted in real-world attacks.
“In July 2025, the Cisco PSIRT became aware of attempted exploitation of some of these vulnerabilities in the wild,” the advisory states.
Although Cisco has not disclosed technical details about how the attacks are being carried out or whether any have been successful, the confirmation of exploitation makes immediate patching critical.
What Is Cisco ISE?
Cisco Identity Services Engine (ISE) is a network security policy management platform that allows organizations to control and monitor access to network resources. Due to its central role in enforcing access policies, it is a high-value target for attackers.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
Breakdown of the Vulnerabilities
All three vulnerabilities have received a CVSS score of 10.0, the highest possible severity rating. Each can be exploited remotely without authentication, allowing attackers to execute arbitrary code with root privileges.
CVE-2025-20281
- Type: Unauthenticated remote code execution
- Impact: Allows crafted API requests to execute commands as root
- Affected Versions: ISE and ISE-PIC 3.3 and 3.4
- Fixed In: ISE 3.3 Patch 7, ISE 3.4 Patch 2
CVE-2025-20282
- Type: Unauthenticated arbitrary file upload and execution
- Impact: Upload and execution of malicious files in privileged directories
- Affected Versions: ISE and ISE-PIC 3.4
- Fixed In: ISE 3.4 Patch 2
CVE-2025-20337
- Type: Unauthenticated remote code execution
- Impact: Exploitation via crafted API requests due to poor input validation
- Affected Versions: ISE and ISE-PIC 3.3 and 3.4
- Fixed In: ISE 3.3 Patch 7, ISE 3.4 Patch 2
Trending: Using Favicon for OSINT
Trending: Recon Tool: ZoomeyeSearch
Required Actions
Organizations must upgrade immediately to mitigate these flaws:
- ISE 3.3 → Upgrade to Patch 7
- ISE 3.4 → Upgrade to Patch 2
- ISE 3.2 or earlier → Not affected, no action required
There are no workarounds for these vulnerabilities. Applying the patches is the only mitigation.
The nature of these vulnerabilities—unauthenticated, remotely exploitable, and granting root access—makes them highly attractive to threat actors. They could be used to gain a foothold in enterprise environments, deploy lateral movement, or exfiltrate sensitive data.
Given that active exploitation is already underway, organizations that rely on Cisco ISE should consider this a priority-one incident response task.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: bleepingcomputer.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
