Ethical Hacking News
Cisco has recently confirmed that a set of security flaws discovered in their Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) are currently active in the wild. These critical-rated bugs, which can be exploited remotely without authentication to execute arbitrary code on the underlying operating system as root, pose significant risks for defenders managing critical infrastructure or compliance-driven environments. To mitigate this threat, customers should upgrade to a fixed software release as soon as possible and review their system logs for suspicious activity.
Cisco has updated its advisory on security flaws in their Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC).The vulnerabilities are critical-rated bugs with a CVSS score of 10.0, allowing remote exploitation without authentication.The exploits can execute arbitrary code on the underlying operating system as root, bypassing authentication controls.At least three vulnerabilities were discovered: CVE-2025-20281, CVE-2025-20337, and CVE-2025-20282.The flaws are related to API weaknesses that allow unauthenticated remote attackers to execute arbitrary code.Organizations must prioritize patching their systems and taking proactive steps to prevent these types of attacks.
Cisco has recently updated its advisory regarding a set of security flaws discovered in their Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC). The vulnerabilities, which were disclosed by the company as critical-rated bugs with a CVSS score of 10.0, can be exploited remotely without authentication to execute arbitrary code on the underlying operating system as root.
The exploits are deemed high-risk because they would allow an attacker to gain unrestricted access to internal systems, bypassing authentication controls and logging mechanisms, effectively turning the policy engine into an open door. The lack of a clear timeline for when the exploits started being used makes it difficult to determine the exact scope of the threat, but Cisco has warned that the security flaws are currently active in the wild.
According to the alert issued by Cisco, the vulnerabilities were discovered and disclosed to the public as part of their Product Security Incident Response Team (PSIRT) efforts. The vulnerabilities, which have been assigned CVE-2025-20281, CVE-2025-20337, and CVE-2025-20282 designations, are all related to API weaknesses that would allow an unauthenticated remote attacker to execute arbitrary code on the underlying operating system as root.
The first two flaws, CVE-2025-20281 and CVE-2025-20337, result from insufficient validation of user-supplied input. This means that if an attacker were able to submit a carefully crafted API request, they would be able to execute arbitrary code on the underlying operating system as root without being authenticated or having access to a legitimate account.
The third vulnerability, CVE-2025-20282, stems from a lack of file validation checks that would prevent uploaded files from being placed in privileged directories on an affected device. This means that if an attacker were able to upload a crafted file to the device, they could execute it as root, effectively gaining control over the system.
The vulnerabilities are all critical-rated bugs because they can be exploited remotely without authentication. This makes them particularly dangerous, as unpatched systems will be at high risk of pre-auth remote code execution — a top-tier concern for defenders managing critical infrastructure or compliance-driven environments.
Given that the exploits are currently active in the wild and have not been disclosed to the public yet, it is essential that customers upgrade to a fixed software release as soon as possible to remediate these vulnerabilities. Furthermore, security teams should also review system logs for suspicious API activity or unauthorized file uploads, especially in externally exposed deployments.
In light of the current state of the threat, it is crucial that organizations prioritize patching their systems and taking proactive steps to prevent these types of attacks from occurring.
Related Information:
https://www.ethicalhackingnews.com/articles/Cisco-Confirms-Active-Exploits-Targeting-ISE-Flaws-Enabling-Unauthenticated-Root-Access-ehn.shtml
https://thehackernews.com/2025/07/cisco-confirms-active-exploits.html
https://nvd.nist.gov/vuln/detail/CVE-2025-20281
https://www.cvedetails.com/cve/CVE-2025-20281/
https://nvd.nist.gov/vuln/detail/CVE-2025-20337
https://www.cvedetails.com/cve/CVE-2025-20337/
https://nvd.nist.gov/vuln/detail/CVE-2025-20282
https://www.cvedetails.com/cve/CVE-2025-20282/
Published: Tue Jul 22 11:55:57 2025 by llama3.2 3B Q4_K_M
