Red Hot Cyber, The cybersecurity news

Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Spanish Italian
Search

Critical Vulnerabilities in Cisco ISE: Urgent Updates Needed

Redazione RHC : 23 July 2025 10:29

The recently discovered critical vulnerabilities in Cisco infrastructure are already being actively exploited by attackers to attack corporate networks. The company has officially confirmed that its Public Security Incident Response Team (PSIRT) has recorded attempts to exploit these vulnerabilities in real-world conditions. We’re talking about breaches in the Cisco Identity Services Engine (ISE) and the Passive Identity Connector (ISE-PIC) module.

Cisco ISE plays a key role in access control: it determines who can connect to the corporate network and under what conditions. Compromising the integrity of this platform gives attackers unrestricted access to the company’s internal systems, allowing them to bypass authentication and logging mechanisms, effectively turning the security system into an open door.

In the official notification, the company listed three critical vulnerabilities with the highest CVSS score of 10 out of 10. All three allow an unauthorized remote attacker to execute commands on a vulnerable device as the root user, which has the highest rights on the system:

  • CVE-2025-20281 and CVE-2025-20337 are related to API request handling. Insufficient validation of user input allows an attacker to craft a specially crafted request that can be used to execute arbitrary code on the ISE server.
  • CVE-2025-20282 involves an internal API that lacks adequate filtering of uploaded files, allowing an attacker to upload a malicious file and execute it in a protected directory, even with root privileges.

Technically, these vulnerabilities arise from lack of input validation (in the first two cases) and insufficient checking of file upload paths (in the third). Exploitation options range from sending a specially crafted API request to uploading a prepared file to a server. In both scenarios, an attacker can bypass authentication mechanisms and gain full control of the device.

Despite being actively exploited, Cisco has not yet disclosed the authors or the extent of the situation. However, the very fact that exploits have appeared underscores the seriousness of the situation.

The company has released patches to address all vulnerabilities and strongly recommends its customers immediately update their software to the latest versions. Unpatched systems are at risk of authentication-free remote takeover attacks, which is particularly dangerous for networks operating under heavy regulatory pressure or critical infrastructure.

In addition to installing updates, experts advise system administrators to carefully analyze activity logs for signs of suspicious API requests or attempts to download unauthorized files, especially if ISE components are externally accessible.

The Cisco ISE situation once again demonstrates how vulnerable even key elements of a security architecture can be if user interfaces and data controls are not adequately controlled. Given the prevalence of these solutions in corporate environments, their compromise could be fatal to the security of the entire internal network.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli
Banner
Redhotcyber is an open-news project that was launched in 2019 and subsequently expanded into a network of individuals collaborating to disseminate information and topics focused on technology, Information Technology, and cybersecurity. Its goal is to increase risk awareness among an ever-growing number of people.

Editorial board : [email protected]

Facebook Linkedin Youtube Telegram Twitter Pinterest Tumblr