New Cisco ISE Vulnerability Allows Root Exploits Without Authentication
New Cisco ISE Vulnerability Allows Root Code Execution – CVE-2025-20337
Maximum-Severity Vulnerability Disclosed
Cisco has issued an urgent security advisory for a critical vulnerability affecting Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC). Tracked as CVE-2025-20337, the flaw holds a CVSS score of 10.0, the highest possible severity rating.
The issue allows unauthenticated, remote attackers to execute arbitrary code on the host operating system with root-level privileges, without requiring any credentials.
Vulnerability Summary
The vulnerability exists due to insufficient validation of user-supplied input in a specific API. Attackers can exploit this by crafting and submitting a malicious API request to a vulnerable system.
If successful, the attacker gains full root control, which could lead to complete system compromise, lateral movement within the network, or persistence through implants.
Affected Products and Patch Versions
Vulnerable Versions
- Cisco ISE 3.3
- Cisco ISE 3.4
- Cisco ISE-PIC 3.3
- Cisco ISE-PIC 3.4
The vulnerability affects these versions regardless of configuration.
Not Affected
- Cisco ISE / ISE-PIC 3.2 and earlier
Fixed Versions
- ISE / ISE-PIC 3.3 – Fixed in Patch 7
- ISE / ISE-PIC 3.4 – Fixed in Patch 2
Cisco recommends updating to these patches immediately to mitigate the risk.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
Discovery and Research Credits
The flaw was responsibly disclosed by Kentaro Kawane of GMO Cybersecurity, who has previously reported:
- CVE-2025-20286
- CVE-2025-20282 (also affecting Cisco ISE)
- CVE-2025-25257 (a separate RCE in Fortinet FortiWeb)
Exploitation Not Yet Observed, But the Risk Is High
Cisco confirms that no in-the-wild exploitation of CVE-2025-20337 has been observed as of now. However, due to the severity and ease of exploitation (no credentials required), organizations should treat this as an urgent threat.
In parallel, threat actors are actively exploiting Fortinet FortiWeb via CVE-2025-25257, a SQL injection flaw that enables remote code execution through crafted HTTP requests.
Real-World Attacks: Fortinet Under Fire
Ongoing Exploitation of CVE-2025-25257
According to the Shadowserver Foundation, attackers are deploying web shells on Fortinet FortiWeb devices using public exploits for CVE-2025-25257.
- First observed: July 11, 2025
- Infected instances (as of July 15): 77
-
- North America: 44
- Asia: 14
- Europe: 13
Exposure Estimate
Censys reports over 20,098 Fortinet FortiWeb appliances online (excluding honeypots), though the number vulnerable to CVE-2025-25257 remains unknown.
Trending: Oracle ILOM Compromise via EternalBlue
Trending: Recon Tool: WaybackLister
Immediate Recommendations
For Cisco ISE / ISE-PIC users:
- Upgrade to 3.3 Patch 7 or 3.4 Patch 2 immediately
- Disable unused APIs if possible
- Monitor for unusual API calls and root-level system changes
For Fortinet FortiWeb users:
- Patch CVE-2025-25257 without delay
- Scan for known indicators of compromise (web shells, unexpected processes)
- Restrict access to the management interface via network segmentation
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: thehackernews.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
