Critical Vulnerability in Cisco ISE actively Exploited

23 July 2025

What happened

Cisco released a security advisory on June 15, 2025, detailing two new vulnerabilities, CVE-2025-20281 and CVE-2025-20282, in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC).

Both allow an unauthenticated malicious actor to achieve remote code execution on the underlying operating system as a root user.

Unfortunately, Cisco has now indicated that the critical vulnerabilities in Identity Services Engine (ISE) are now being actively exploited in the wild. A public proof-of-concept is available, making exploitation trivial even for low-skilled attackers. More, Cisco also revealed that the initial patch is incomplete and additional vulnerabilities are addressed in new fixes.

Who is affected

The affected products are

Cisco ISE versions 3.3 and 3.4
ISE-PIC versions 3.3 and 3.4.

What to do

As Cisco ISE is a critical platform for network security, providing authentication, authorization, and accounting, role-based access control, policy management, Active Directory integration, and more, we strongly recommend to:

Apply the latest patches immediately
Ensure Cisco ISE is not directly exposed to the internet

Incident Response Hotline

Facing cyber incidents right now?

Contact our 24/7/365 world wide service incident response hotline.

CSIRT

Protect your Microsoft environment!

Upgrade from VPN to SASE!

Protecting people when they are most vulnerable: Security for Healthcare

Managed Detection and Response

Manage your compliance: prepare for NIS2!

The best Hackers on your side!

From awareness to hacking: get trained by the best!

Whitepaper: Europe’s cyber dilemma in a shifting world

Cy-Xplorer: Your #1 source for expert insights on cyber extortion.

Critical Vulnerability in Cisco ISE actively Exploited

What happened

Who is affected

What to do