News

Cisco ISE Flaws Under Active Attack: Critical Security Patches Now Urgent

Published

2 months ago

July 22, 2025

Cisco is sounding the alarm. Three critical security vulnerabilities in its Identity Services Engine (ISE)—all rated 10 out of 10 in severity—are being actively exploited. And if you’re running vulnerable versions, you’re on the clock.

The networking giant says attackers are now probing these flaws in the wild, raising the stakes for organizations that haven’t yet applied the fixes. While Cisco hasn’t released details on how the attacks are being carried out or how successful they’ve been, the urgency is crystal clear: patch now, or risk a breach.

What We Know So Far

The vulnerabilities affect Cisco Identity Services Engine (ISE) and its Passive Identity Connector (ISE-PIC)—products used by enterprises to control who and what gets access to their networks.

Here’s the timeline:

Two of the bugs (CVE-2025-20281 and CVE-2025-20282) were disclosed on June 25, 2025.
The third one (CVE-2025-20337) dropped on July 16, 2025.
Just days later, Cisco confirmed attackers are already attempting to exploit them.

Cisco’s Product Security Incident Response Team (PSIRT) said in its updated advisory:

“In July 2025, the Cisco PSIRT became aware of attempted exploitation of some of these vulnerabilities in the wild.”

So far, no full-blown compromises have been confirmed publicly. But that doesn’t mean systems are safe.

The Flaws That Are Raising Red Flags

Each of these vulnerabilities allows remote attackers to execute code as root—without any authentication. That’s a worst-case scenario for network security teams. Here’s a breakdown:

CVE-2025-20281 – Lets attackers send crafted API requests to execute commands as root on the host OS. No login needed.
CVE-2025-20282 – Allows malicious file uploads into sensitive directories. Once uploaded, the files execute as root.
CVE-2025-20337 – Another API-based flaw that bypasses input validation, handing root access to an unauthenticated attacker.

All three are zero-click remote code execution vulnerabilities. That means an attacker doesn’t need to trick someone into clicking anything. Just sending the right payload is enough.

Patching Strategy: What You Need To Do Now

Cisco has already released fixes, but they’re split across different patch levels depending on the version you’re running. So here’s what needs to happen:

ISE 3.3 users should upgrade to Patch 7
ISE 3.4 users should upgrade to Patch 2
Users on ISE 3.2 or earlier? You’re off the hook this time—those versions aren’t affected

But here’s the kicker:
There are no workarounds. None. You either patch or stay vulnerable.

Admins should prioritize this immediately, especially if your ISE deployment is externally accessible or plays a key role in controlling network access.

Why These Bugs Are Especially Dangerous

Most security bugs don’t get a 10.0 score on the CVSS scale. These did. And for good reason.

We’re talking:

No authentication required
Full system-level privileges granted
Remote exploitation over APIs
Widely used enterprise software

Cisco ISE is used in healthcare, finance, government—you name it. If attackers get root on an ISE box, they can potentially pivot to the rest of the internal network. That’s what makes this so serious.

These bugs are tailor-made for attackers who want persistence, privilege escalation, or lateral movement.

Warnings From the Past: Similar Incidents That Went Bad

We’ve seen this pattern before. A critical remote code execution bug shows up. Patches are available. Then comes the silence—until it’s too late.

Think SolarWinds. Or Fortinet’s FortiOS SSL VPN vulnerabilities in 2023. Those had patches, but attackers still got in because organizations didn’t move fast enough.

Once exploits are in the wild, it becomes a race.

In 2024, similar flaws in Ivanti Connect Secure VPN appliances were exploited by nation-state actors weeks after disclosure. Several U.S. federal agencies were affected.

Cisco ISE could be next if patches aren’t applied swiftly.