Back to KEVs

CVE-2025-20337

Cisco ISE API Unauthenticated Remote Code Execution Vulnerability

Basic Information

CVE State: PUBLISHED
Reserved Date: October 10, 2024
Published Date: July 16, 2025
Last Updated: July 29, 2025
Vendor: Cisco
Product: Cisco Identity Services Engine Software, Cisco ISE Passive Identity Connector
Description: A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this vulnerability. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device.
Tags

CVSS Scores

CVSS v3.1

10.0 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score

Score: 0.21% (Percentile: 43.39%) as of 2025-07-28

SSVC Information

Exploitation: active
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (2025-07-26 04:40:39 UTC) Source

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6

Known Exploited Vulnerability Information

Source	Added Date
CVE	2025-07-26 04:40:32 UTC

Recent Mentions

Follow-Up: Cisco Updates Advisory with Additional Maximum Severity Unauthenticated RCE in ISE and ISE-PIC (CVE-2025-20337)

Source: Arctic Wolf • Published: 2025-07-18 13:44:51 UTC

On July 16, 2025, Cisco updated its advisory—originally published in late June—to include a third maximum-severity vulnerability affecting Cisco Identity Services Engine (ISE) and ISE-Passive Identity Connector (ISE-PIC), tracked as CVE-2025-20337. All three vulnerabilities allow unauthenticated, remote threat actors to execute arbitrary commands on the underlying operating system with root privileges via exposed APIs. CVE-2025-20281 ... Follow-Up: Cisco Updates Advisory with Additional Maximum Severity Unauthenticated RCE in ISE and ISE-PIC (CVE-2025-20337)

Max severity Cisco ISE bug allows pre-auth command execution, patch now

Source: BleepingComputer • Published: 2025-07-17 15:53:26 UTC

A critical vulnerability (CVE-2025-20337) in Cisco's Identity Services Engine (ISE) could be exploited to let an unauthenticated attacker store malicious files, execute arbitrary code, or gain root privileges on vulnerable devices. [...]

Cisco Warns of Critical ISE Flaw Allowing Unauthenticated Attackers to Execute Root Code

Source: TheHackerNews • Published: 2025-07-17 05:37:00 UTC

Cisco has disclosed a new maximum-severity security vulnerability impacting Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) that could permit an attacker to execute arbitrary code on the underlying operating system with elevated privileges. Tracked as CVE-2025-20337, the shortcoming carries a CVSS score of 10.0 and is similar to CVE-2025-20281, which was patched

ZDI-25-607: Cisco Identity Services Engine enableStrongSwanTunnel Deserialization of Untrusted Data Remote Code Execution Vulnerability

Source: Zero Day Initiative Published Advisories • Published: 2025-07-17 05:00:00 UTC

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Cisco Identity Services Engine. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 9.8. The following CVEs are assigned: CVE-2025-20337.

Cisco Identity Services Engine Unauthenticated Remote Code Execution Vulnerabilities

Source: Cisco Security Advisory • Published: 2025-07-16 22:57:26 UTC

Multiple vulnerabilities in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an unauthenticated, remote attacker to issue commands on the underlying operating system as the root user. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. Note: Since the publication of version 1.0 of this advisory, improved fixed releases have become available. Cisco recommends upgrading to an enhanced fixed release as follows: If Cisco ISE is running Release 3.4 Patch 2, no further action is necessary. If Cisco ISE is running Release 3.3 Patch 6, additional fixes are available in Release 3.3 Patch 7, and the device must be upgraded. If Cisco ISE has either hot patch ise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gz or hot patch ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz installed, Cisco recommends upgrading to Release 3.3 Patch 7 or Release 3.4 Patch 2. The hot patches did not address CVE-2025-20337 and have been deferred from CCO. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6 Security Impact Rating: Critical CVE: CVE-2025-20281,CVE-2025-20282,CVE-2025-20337

Timeline

CVE ID Reserved

October 10, 2024
CVE Published to Public

July 16, 2025
Added to KEVIntel

July 26, 2025