Cisco has released critical updates to address two severe security vulnerabilities in its Identity Services Engine (ISE) platform. These flaws could allow remote attackers to execute arbitrary commands and escalate privileges, putting affected devices at significant risk. Cisco urges users to update their systems promptly to prevent potential exploitation.
The Vulnerabilities
Cisco ISE has been found to have two critical vulnerabilities, which have been identified and tracked under the following CVE identifiers:
- CVE-2025-20124 (CVSS Score: 9.9): This critical flaw exists due to insecure Java deserialization in an API. It allows an authenticated, remote attacker to execute arbitrary commands with root privileges on the affected device.
- CVE-2025-20125 (CVSS Score: 9.1): This authorization bypass vulnerability in the ISE API enables authenticated, remote attackers with read-only credentials to alter configurations, access sensitive data, and restart nodes.
These vulnerabilities pose serious security risks, as attackers could exploit them by sending malicious serialized Java objects or crafted HTTP requests to specific API endpoints. This could lead to privilege escalation and arbitrary code execution.
Impact and Exploitation
Although the organization has confirmed no active exploitation of these vulnerabilities, the risks remain high. Attackers could gain full control of vulnerable systems and unauthorized access to critical network resources and services. As a result, it is recommended to apply the patches immediately to safeguard systems.
Each vulnerability is independent, meaning attackers can exploit them separately. The organization has not provided workarounds, making patching the only effective solution.
Fixed Versions
Cisco has addressed these vulnerabilities in the following ISE releases:
- Cisco ISE software release 3.0 – Migrate to a fixed release
- Cisco ISE software release 3.1 – Fixed in 3.1P10
- Cisco ISE software release 3.2 – Fixed in 3.2P7
- Cisco ISE software release 3.3 – Fixed in 3.3P4
- Cisco ISE software release 3.4 – Not vulnerable
It is essential for users to upgrade to these fixed releases to ensure their systems are protected from the identified threats.
