Cisco has updated it’s advisory to confirm active exploitation of several recently disclosed security flaws in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC).
According to the company’s alert, the Cisco Product Security Incident Response Team (PSIRT) became aware in July 2025 of attempted exploitation of some of these vulnerabilities in the wild. However, Cisco has not revealed which specific flaws were used, who the attackers are, or the extent of the malicious activity.
Cisco ISE is a critical component in network access control, determining which users and devices can access corporate networks and under what conditions. A breach at this level could grant attackers broad access to internal systems while bypassing authentication checks and monitoring tools, effectively disabling the system’s security policies.
The advisory highlights three critical vulnerabilities, all with CVSS scores of 10.0:
- CVE-2025-20281 and CVE-2025-20337: These involve flaws in a specific API that could let unauthenticated remote attackers execute arbitrary code on the operating system as root.
- CVE-2025-20282: This flaw in an internal API allows unauthenticated remote attackers to upload files to an affected device and execute them with root privileges.
The first two vulnerabilities arise from insufficient input validation, while the third stems from inadequate file validation, allowing attackers to place files in sensitive directories.
To exploit these issues, an attacker can send specially crafted API requests (for CVE-2025-20281 and CVE-2025-20337) or upload malicious files (for CVE-2025-20282) to a vulnerable system.
Given the active exploitation, Cisco urges all customers to upgrade to the latest patched version immediately. These vulnerabilities can be triggered remotely without any authentication, posing a severe risk to unpatched systems, particularly in environments where security and regulatory compliance are critical.
Security teams should also monitor system logs for unusual API activity or unauthorized file uploads, especially in deployments exposed to the internet.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
