Back to KEVs

CVE-2025-20281

Cisco ISE API Unauthenticated Remote Code Execution Vulnerability

Basic Information

CVE State: PUBLISHED
Reserved Date: October 10, 2024
Published Date: June 25, 2025
Last Updated: July 28, 2025
Vendor: Cisco
Product: Cisco Identity Services Engine Software
Description: A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this vulnerability. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device.
Tags

CVSS Scores

CVSS v3.1

10.0 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score

Score: 0.06% (Percentile: 19.66%) as of 2025-07-28

SSVC Information

Exploitation: active
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (2025-07-26 04:40:32 UTC) Source

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6

Known Exploited Vulnerability Information

Source	Added Date
CVE	2025-07-26 04:40:25 UTC

Recent Mentions

Exploit available for critical Cisco ISE bug exploited in attacks

Source: BleepingComputer • Published: 2025-07-28 17:29:23 UTC

Security researcher Bobby Gould has published a blog post demonstrating a complete exploit chain for CVE-2025-20281, an unauthenticated remote code execution vulnerability in Cisco Identity Services Engine (ISE). [...]

CVE-2025-20281

Source: Horizon3.ai Attack Research • Published: 2025-07-24 18:21:16 UTC

Cisco ISE API Unauthenticated Remote Code Execution Vulnerability

Follow-Up: Cisco Updates Advisory with Additional Maximum Severity Unauthenticated RCE in ISE and ISE-PIC (CVE-2025-20337)

Source: Arctic Wolf • Published: 2025-07-18 13:44:51 UTC

On July 16, 2025, Cisco updated its advisory—originally published in late June—to include a third maximum-severity vulnerability affecting Cisco Identity Services Engine (ISE) and ISE-Passive Identity Connector (ISE-PIC), tracked as CVE-2025-20337. All three vulnerabilities allow unauthenticated, remote threat actors to execute arbitrary commands on the underlying operating system with root privileges via exposed APIs. CVE-2025-20281 ... Follow-Up: Cisco Updates Advisory with Additional Maximum Severity Unauthenticated RCE in ISE and ISE-PIC (CVE-2025-20337)

Cisco Warns of Critical ISE Flaw Allowing Unauthenticated Attackers to Execute Root Code

Source: TheHackerNews • Published: 2025-07-17 05:37:00 UTC

Cisco has disclosed a new maximum-severity security vulnerability impacting Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) that could permit an attacker to execute arbitrary code on the underlying operating system with elevated privileges. Tracked as CVE-2025-20337, the shortcoming carries a CVSS score of 10.0 and is similar to CVE-2025-20281, which was patched

ZDI-25-609: Cisco Identity Services Engine invokeStrongSwanShellScript Command Injection Remote Code Execution Vulnerability

Source: Zero Day Initiative Published Advisories • Published: 2025-07-17 05:00:00 UTC

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Identity Services Engine. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 9.8. The following CVEs are assigned: CVE-2025-20281.

CVE-2025-20281 & CVE-2025-20282: Unauthenticated RCE Vulnerabilities in Cisco ISE and ISE-PIC

Source: DarkWebInformer • Published: 2025-06-30 19:28:04 UTC

CVE-2025-20281 & CVE-2025-20282: Unauthenticated RCE Vulnerabilities in Cisco ISE and ISE-PIC

CVE-2025-20281 & CVE-2025-20282: Maximum Severity Unauthenticated RCE Vulnerabilities in Cisco ISE and ISE-PIC

Source: Arctic Wolf • Published: 2025-06-26 20:50:38 UTC

On June 25, 2025, Cisco released patches for two maximum-severity vulnerabilities in Cisco Identity Services Engine (ISE) and ISE-Passive Identity Connector (ISE-PIC). Both flaws allow unauthenticated, remote threat actors to execute commands on the underlying operating system with root privileges via exposed HTTPS APIs. Although similar in outcome, the vulnerabilities are independent and do not ... CVE-2025-20281 & CVE-2025-20282: Maximum Severity Unauthenticated RCE Vulnerabilities in Cisco ISE and ISE-PIC

Critical RCE Flaws in Cisco ISE and ISE-PIC Allow Unauthenticated Attackers to Gain Root Access

Source: TheHackerNews • Published: 2025-06-26 13:24:00 UTC

Cisco has released updates to address two maximum-severity security flaws in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that could permit an unauthenticated attacker to execute arbitrary commands as the root user. The vulnerabilities, assigned the CVE identifiers CVE-2025-20281 and CVE-2025-20282, carry a CVSS score of 10.0 each. A description of the defects is

Cisco Identity Services Engine Unauthenticated Remote Code Execution Vulnerabilities

Source: Cisco Security Advisory • Published: 2025-06-25 16:00:00 UTC

Multiple vulnerabilities in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an unauthenticated, remote attacker to issue commands on the underlying operating system as the root user. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6 Security Impact Rating: Critical CVE: CVE-2025-20281,CVE-2025-20282

Timeline

CVE ID Reserved

October 10, 2024
CVE Published to Public

June 25, 2025
Added to KEVIntel

July 26, 2025