CVE-2025-20281

25.06.2025, 16:15

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this vulnerability.

This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device.

Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	10 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cisco	CNA	10 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 71%

Vendor	Product	Version
cisco	identity_services_engine	3.3.0
cisco	identity_services_engine	3.3.0:patch1
cisco	identity_services_engine	3.3.0:patch2
cisco	identity_services_engine	3.3.0:patch3
cisco	identity_services_engine	3.3.0:patch4
cisco	identity_services_engine	3.3.0:patch5
cisco	identity_services_engine	3.3.0:patch6
cisco	identity_services_engine	3.4.0
cisco	identity_services_engine	3.4.0:patch1
cisco	identity_services_engine_passive_identity_connector	3.3.0
cisco	identity_services_engine_passive_identity_connector	3.3.0:patch1
cisco	identity_services_engine_passive_identity_connector	3.3.0:patch2
cisco	identity_services_engine_passive_identity_connector	3.3.0:patch3
cisco	identity_services_engine_passive_identity_connector	3.3.0:patch4
cisco	identity_services_engine_passive_identity_connector	3.3.0:patch5
cisco	identity_services_engine_passive_identity_connector	3.3.0:patch6
cisco	identity_services_engine_passive_identity_connector	3.4.0
cisco	identity_services_engine_passive_identity_connector	3.4.0:patch1

𝑥

= Vulnerable software versions

Known Exploits!

https://www.zerodayinitiative.com/blog/2025/7/24/cve-2025-20281-cisco-ise-api-unauthenticated-remote-code-execution-vulnerability

Common Weakness Enumeration

CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
The software constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6

https://www.zerodayinitiative.com/blog/2025/7/24/cve-2025-20281-cisco-ise-api-unauthenticated-remote-code-execution-vulnerability