Cisco on Monday up to date its advisory of a set of just lately disclosed safety flaws in Identification Companies Engine (ISE) and ISE Passive Identification Connector (ISE-PIC) to acknowledge lively exploitation.
“In July 2025, the Cisco PSIRT [Product Security Incident Response Team], grew to become conscious of tried exploitation of a few of these vulnerabilities within the wild,” the corporate mentioned in an alert.
The community tools vendor didn’t disclose which vulnerabilities have been weaponized in real-world assaults, the identification of the menace actors exploiting them, or the size of the exercise.
Cisco ISE performs a central function in community entry management, managing which customers and gadgets are allowed onto company networks and beneath what circumstances. A compromise at this layer may give attackers unrestricted entry to inside methods, bypassing authentication controls and logging mechanisms—turning a coverage engine into an open door.
The vulnerabilities outlined within the alert are all critical-rated bugs (CVSS scores: 10.0) that might permit an unauthenticated, distant attacker to difficulty instructions on the underlying working system as the foundation person –
- CVE-2025-20281 and CVE-2025-20337 – A number of vulnerabilities in a selected API that might permit an unauthenticated, distant attacker to execute arbitrary code on the underlying working system as root
- CVE-2025-20282 – A vulnerability in an inside API that might permit an unauthenticated, distant attacker to add arbitrary information to an affected system after which execute these information on the underlying working system as root
Whereas the primary two flaws are the results of inadequate validation of user-supplied enter, the latter stems from a scarcity of file validation checks that might forestall uploaded information from being positioned in privileged directories on an affected system.
Consequently, an attacker may leverage these shortcomings by submitting a crafted API request (for CVE-2025-20281 and CVE-2025-20337) or importing a crafted file to the affected system (for CVE-2025-20282).
In gentle of lively exploitation, it is important that prospects improve to a set software program launch as quickly as attainable to remediate these vulnerabilities. These flaws are exploitable remotely with out authentication, inserting unpatched methods at excessive danger of pre-auth distant code execution—a top-tier concern for defenders managing essential infrastructure or compliance-driven environments.
Safety groups also needs to evaluate system logs for suspicious API exercise or unauthorized file uploads, particularly in externally uncovered deployments.
