Cisco Patches Severe Flaws in ISE (CVE-2025-20286) & Other Products; PoC Exploits Confirmed for Some

On June 4, 2025, Cisco published 10 new security advisories that affect a range of products and services, including popular platforms like the Cisco Identity Services Engine (ISE), Unified Computing System (UCS) servers, and the Nexus Dashboard Fabric Controller (NDFC).

These advisories cover vulnerabilities spanning critical (CVE-2025-20286), high (CVE-2025-20261, CVE-2025-20163), and medium severity levels, some of which could seriously impact cloud environments and mission-critical systems. Here’s a closer look at the most significant vulnerabilities, their potential impact, and what you can do to mitigate the risks.

CVE-2025-20286: Shared Static Credentials in Cisco ISE Cloud Deployments

The most severe vulnerability, CVE-2025-20286 (CVSS 9.9), affects the Cisco Identity Services Engine (ISE) when deployed on cloud platforms like AWS, Azure, and Oracle Cloud Infrastructure (OCI). Due to improper credential generation, multiple ISE deployments on the same platform and release share identical static credentials.

Vulnerability card of CVE-2025-20286 (SOCRadar Vulnerability Intelligence)

This means an unauthenticated attacker could:

• Access sensitive data.
• Perform limited administrative tasks.
• Modify configurations or even disrupt services.

The vulnerability specifically affects deployments where the Primary Administration node is in the cloud. On-premises deployments are safe.

There are no direct workarounds. However, Cisco recommends:

• Restricting access to the ISE instance by only allowing trusted source IP addresses via cloud security groups.
• Using the application reset-config ise command for fresh installations to reset default credentials. Note that this will reset the system to factory defaults, and backups will restore the original vulnerable state.

According to the advisory, a Proof-of-Concept (PoC) exploit code for CVE-2025-20286 is already available, although Cisco has not seen active exploitation in the wild.

For more details, visit the official advisory here.

High Severity Vulnerabilities: Elevated Privileges and SSH Risks

Cisco also released two high severity advisories:

1. Cisco Integrated Management Controller Privilege Escalation (CVE-2025-20261, CVSS 8.8)

Vulnerability card of CVE-2025-20261 (SOCRadar Vulnerability Intelligence)

This vulnerability allows an authenticated attacker to elevate privileges on Cisco Integrated Management Controllers (IMC) for various UCS platforms, including:

• UCS B-Series Blade Servers
• UCS C-Series and S-Series Servers
• UCS X-Series Modular Systems

An attacker with valid credentials can exploit SSH misconfigurations to gain unauthorized access to internal services and even create new admin accounts.

While no public exploitation has been reported, administrators are strongly advised to apply Cisco’s software updates immediately. If SSH is not required, it should be disabled on the affected IMCs to reduce risk.

Full details and mitigation steps are available in the Cisco advisory.

2. SSH Host Key Validation Flaw in Nexus Dashboard Fabric Controller (CVE-2025-20163, CVSS 8.7)

Vulnerability card of CVE-2025-20163 (SOCRadar Vulnerability Intelligence)

This flaw impacts the Cisco Nexus Dashboard Fabric Controller (NDFC), previously known as DCNM. Due to insufficient SSH host key validation, an attacker could perform a Man-in-the-Middle (MitM) attack to impersonate a managed device and intercept sensitive traffic.

No workarounds exist, so patching is the only secure option. Cisco has released updates to fix this issue – details are provided in the official advisory.

Numerous Other Cisco Vulnerabilities Patched – ISE & CCP Vulnerabilities Have Exploits Available

Cisco also disclosed several medium severity vulnerabilities:

• CVE-2025-20278: Command Injection vulnerability in Cisco Unified Communications Products.
• CVE-2025-20276, CVE-2025-20277, CVE-2025-20279: Vulnerabilities in Cisco Unified Contact Center Express which allow Cross-Site Scripting (XSS) attack or the execution of arbitrary code.
• CVE-2025-20275:Remote Code Execution (RCE) vulnerability in Cisco Unified Contact Center Express Editor.
• CVE-2025-20259: Arbitrary File Deletion in ThousandEyes Endpoint Agent for Windows.
• CVE-2025-20130: Arbitrary File Upload vulnerability in Cisco Identity Services Engine.
• CVE-2025-20129: Information Disclosure vulnerability in Cisco Customer Collaboration Platform (formerly SocialMiner).
• CVE-2025-20273: Cross-Site Scripting (XSS) in Cisco Unified Intelligent Contact Management.

These vulnerabilities involve potential command injection, RCE, file manipulation, XSS, and information disclosure. Notably, Proof-of-Concept (PoC) exploit code is available for the medium-severity vulnerabilities CVE-2025-20129 (CVSS 4.3) and CVE-2025-20130 (CVSS 4.9), in addition to the critical CVE-2025-20286 discussed earlier.

While these medium severity vulnerabilities are not as urgent as the critical and high severity flaws, they still pose potential risks, especially since exploits are available for two of them, and should be addressed promptly.

Recommendations and How You Can Stay Ahead with the Right Tools

These new advisories call for prompt patching and strong access controls, especially for cloud deployments and management interfaces like SSH. Your organization should:

• Review and apply Cisco’s updates for all affected products.
• Restrict SSH and other management access to trusted IPs only.
• Continuously monitor for unusual activity in these systems.

SOCRadar’s Cyber Threat Intelligence (CTI) and Attack Surface Management (ASM) can enhance your security posture by providing timely insight into newly disclosed CVEs, their exploitability, and their impact on your assets. These modules work hand in hand to deliver a clearer perspective on your organization’s exposure and risk.

Easily track and handle company vulnerabilities with SOCRadar’s ASM module

Here’s how SOCRadar’s Vulnerability Intelligence capabilities help you stay ahead:

• Real-time tracking of CVEs with exploitability scoring and contextual details to prioritize patching efforts.
• Continuous analysis of attacker trends, including new campaigns and evolving tactics, to keep you informed.
• Identification of exposed assets – such as SSH endpoints and cloud services – that could be targeted by attackers.
• Visibility into impersonating domains, misconfigured services, and external assets that could put your environment at risk.
• Alerts and contextual insights tailored to your organization’s digital footprint to close security gaps quickly.

Together, these capabilities help you understand your exposure, adapt to new threats, and reduce the risk of exploitation.