June 26, 2025 By Bill Toulas
Cisco has published a bulletin to warn about two critical, unauthenticated remote code execution (RCE) vulnerabilities affecting Cisco Identity Services Engine (ISE) and the Passive Identity Connector (ISE-PIC).
The flaws, tracked under CVE-2025-20281 and CVE-2025-20282, are rated with max severity (CVSS score: 10.0). The first impacts ISE and ISE-PIC versions 3.4 and 3.3, while the second affects only version 3.4.
The root cause of CVE-2025-20281 is an insufficient validation of user-supplied input in a specific exposed API. This allows an unauthenticated, remote attacker to send a specially crafted API request to execute arbitrary operating system commands as the root user.
The second issue, CVE-2025-20282, is caused by poor file validation in an internal API, allowing files to be written to privileged directories. The flaw allows unauthenticated, remote attackers to upload arbitrary files to the target system and execute them with root privileges.
Cisco Identity Services Engine (ISE) is a network security policy management and access control platform used by organizations to manage their network connections, serving as a network access control (NAC), identity management, and policy enforcement tool.
