CVE-2025-20125
05.02.2025, 17:15
A vulnerability in an API of Cisco ISE could allow an authenticated, remote attacker with valid read-only credentials to obtain sensitive information, change node configurations, and restart the node. This vulnerability is due to a lack of authorization in a specific API and improper validation of user-supplied data. An attacker could exploit this vulnerability by sending a crafted HTTP request to a specific API on the device. A successful exploit could allow the attacker to attacker to obtain information, modify system configuration, and reload the device. Note: To successfully exploit this vulnerability, the attacker must have valid read-only administrative credentials. In a single-node deployment, new devices will not be able to authenticate during the reload time.Enginsight
| Vendor | Product | Version |
|---|---|---|
| cisco | identity_services_engine | 𝑥 < 3.1 |
| cisco | identity_services_engine | 3.1.0 |
| cisco | identity_services_engine | 3.1.0:patch1 |
| cisco | identity_services_engine | 3.1.0:patch2 |
| cisco | identity_services_engine | 3.1.0:patch3 |
| cisco | identity_services_engine | 3.1.0:patch4 |
| cisco | identity_services_engine | 3.1.0:patch5 |
| cisco | identity_services_engine | 3.1.0:patch6 |
| cisco | identity_services_engine | 3.1.0:patch7 |
| cisco | identity_services_engine | 3.1.0:patch8 |
| cisco | identity_services_engine | 3.1.0:patch9 |
| cisco | identity_services_engine | 3.2.0 |
| cisco | identity_services_engine | 3.2.0:patch1 |
| cisco | identity_services_engine | 3.2.0:patch2 |
| cisco | identity_services_engine | 3.2.0:patch3 |
| cisco | identity_services_engine | 3.2.0:patch4 |
| cisco | identity_services_engine | 3.2.0:patch5 |
| cisco | identity_services_engine | 3.2.0:patch6 |
| cisco | identity_services_engine | 3.3.0 |
| cisco | identity_services_engine | 3.3.0:patch1 |
| cisco | identity_services_engine | 3.3.0:patch2 |
| cisco | identity_services_engine | 3.3.0:patch3 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-285 - Improper AuthorizationThe software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
- CWE-862 - Missing AuthorizationThe software does not perform an authorization check when an actor attempts to access a resource or perform an action.