Cisco Warns of Active Exploits of Critical ISE Vulnerabilities
Cisco has confirmed that attackers are actively exploiting recently disclosed security flaws in its Identity Services Engine (ISE) and ISE-PIC. The vulnerabilities, identified as CVE-2025-20281, CVE-2025-20282, and CVE-2025-20337, allow unauthenticated attackers to execute commands on the underlying operating system with root privileges.
Cisco first observed these attacks in July 2025. CVE-2025-20281, affecting ISE/ISE-PIC 3.3 and later versions, enables code execution as root via a vulnerable API. Similarly, CVE-2025-20282 allows unauthenticated remote attackers to upload and execute files as root via an internal API. CVE-2025-20337 is similar to CVE-2025-20281, enabling arbitrary code execution on the underlying operating system with root privileges.
While Stellar Cyber was involved in addressing misuse of credentials related to identity services in July 2025, there is no evidence that they or any other organization actively exploited these Cisco ISE and ISE-PIC vulnerabilities at that time.
Cisco urges customers to apply the available patches immediately to mitigate these risks. Affected versions include ISE/ISE-PIC 3.3 and later. The company continues to monitor the situation and will provide updates as necessary.
