Cisco ISE Hit by CVSS 10 RCE Vulnerabilities Allowing Full System Takeover – Patch Now
On July 16, Cisco published multiple security advisories disclosing a total of nine vulnerabilities across several of its products. Among these, three critical vulnerabilities affect the Cisco Identity Services Engine (ISE), enabling unauthenticated Remote Code Execution (RCE).
The remaining flaws, ranging from high to medium severity, also impact platforms such as Cisco Unified Intelligence Center and Cisco Prime Infrastructure.
This blog breaks down Cisco’s latest vulnerability disclosures, pinpoints the most urgent threats, and equips you with clear steps to strengthen your defenses.
Unauthenticated RCE Flaws Expose ISE to Full Compromise
The most alarming revelations involve three critical vulnerabilities (CVE-2025-20281, CVE-2025-20282, and CVE-2025-20337) in Cisco ISE and its Passive Identity Connector (ISE-PIC), each rated with a maximum CVSS score of 10.0. These flaws allow unauthenticated attackers to execute arbitrary code on affected systems with root privileges.
CVE-2025-20281 & CVE-2025-20337
These vulnerabilities exist in specific APIs within Cisco ISE and ISE-PIC. By sending specially crafted API requests, attackers can bypass authentication and directly interact with the system’s operating environment, executing code with full administrative rights. No credentials or user interaction are required, and the impact spans data confidentiality, integrity, and availability.
CVE-2025-20281 (SOCRadar Vulnerability Intelligence)
CVE-2025-20337 (SOCRadar Vulnerability Intelligence)
CVE-2025-20282
Affecting version 3.4 only, CVE-2025-20282 is rooted in insufficient validation during file uploads via an internal API. Malicious actors can upload and run arbitrary files in privileged directories, effectively gaining root-level control.
CVE-2025-20282 (SOCRadar Vulnerability Intelligence)
Cisco confirmed that these vulnerabilities are independent; exploiting one does not rely on the others. Also, there are currently no known workarounds. Therefore, immediate patching is the only viable mitigation.
The Advisory Is Revised with New CVE and Updated Fixes
We previously covered Cisco’s initial patch guidance for CVE-2025-20281 and CVE-2025-20282 in a June 27 blog post, which you can find here. Since then, Cisco has revised its advisory to include a newly identified critical vulnerability, CVE-2025-20337, also rated CVSS 10.0. Additionally, while CVE-2025-20282 affects only ISE 3.4, the updated advisory clarifies that ISE 3.3 users must upgrade to Patch 7 to fully mitigate both CVE-2025-20281 and the newly added CVE-2025-20337.
Who’s Exposed?
The following Cisco ISE versions are affected by the critical CVEs:
- ISE 3.3 is affected by CVE-2025-20281 and CVE-2025-20337. Cisco recommends upgrading to Patch 7.
- ISE 3.4 is affected by CVE-2025-20281, CVE-2025-20282, and CVE-2025-20337. Cisco recommends upgrading to Patch 2.
- ISE 3.2 and earlier are not affected by these vulnerabilities.
ZoomEye results for Cisco ISE
A recent scan shows that over 2,000 Cisco ISE instances are publicly accessible over the internet. The United States alone accounts for the majority, with more than triple the exposure of any other country, followed by Japan, India, and the United Kingdom. These publicly accessible systems are at heightened risk and could be immediate targets if left unpatched.
SOCRadar’s CTI module, Vulnerability Intelligence page
Stay ahead of CVE disclosures with SOCRadar’s Cyber Threat Intelligence module – get real-time visibility into emerging threats, exploit activity, and actionable patching guidance tailored to your digital footprint.
Other Notable Vulnerabilities
Cisco’s advisory batch also included several high and medium-severity flaws across different products:
High Severity
- CVE-2025-20274: Arbitrary file upload in Cisco Unified Intelligence Center, allowing attackers to upload malicious files and potentially execute them.
Medium Severity
- CVE-2025-20272: Blind SQL injection in Cisco Prime Infrastructure and Evolved Programmable Network Manager, which could let attackers extract sensitive data.
- CVE-2025-20283, CVE-2025-20284, CVE-2025-20285: Affect Cisco ISE, enabling authenticated RCE and authorization bypass under certain conditions.
- CVE-2025-20288: Server-Side Request Forgery (SSRF) in Cisco Unified Intelligence Center, possibly allowing internal network probing.
These medium-rated vulnerabilities pose moderate risk but can be leveraged in chained attacks or pivoting scenarios within compromised environments.
How to Defend Against These Cisco Vulnerabilities
Cisco has released patches to address all the disclosed vulnerabilities. The most urgent updates apply to the three CVSS 10.0 vulnerabilities in Cisco ISE, which currently have no available workarounds. If you use ISE in your environment, take the following immediate steps:
- Patch Priority: For Cisco ISE 3.4, apply Patch 2. For version 3.3, upgrade to Patch 7. Versions 3.2 and earlier are not affected.
- Avoid Hot Patch Reliance: Cisco clarified that previously issued hot patches do not fully address CVE-2025-20337 and should not be relied upon as a fix.
- Upgrade Guidance: Refer to Cisco’s official upgrade documentation to confirm system compatibility and resource availability before applying any fixes.
- Reduce Exposure: Continuously monitor your internet-facing assets with solutions such as SOCRadar Attack Surface Management (ASM). This can help you identify unpatched Cisco devices and other vulnerable systems before they become targets
For full details on these critical ISE vulnerabilities and their fixes, consult the dedicated Cisco Security Advisory.
To stay updated on vulnerabilities affecting other Cisco products mentioned in this blog, visit the Cisco Security Advisories hub.

