CVE-2025-20285

16.07.2025, 17:15

A vulnerability in the IP Access Restriction feature of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to bypass configured IP access restrictions and log in to the device from a disallowed IP address.

This vulnerability is due to improper enforcement of access controls that are configured using the IP Access Restriction feature. An attacker could exploit this vulnerability by logging in to the API from an unauthorized source IP address. A successful exploit could allow the attacker to gain access to the targeted device from an IP address that should have been restricted. To exploit this vulnerability, the attacker must have valid administrative credentials.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.1 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N
cisco	CNA	4.1 MEDIUM	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 9%

Vendor	Product	Version
cisco	identity_services_engine	𝑥 < 3.3.0
cisco	identity_services_engine	3.3.0
cisco	identity_services_engine	3.3.0:patch1
cisco	identity_services_engine	3.3.0:patch2
cisco	identity_services_engine	3.3.0:patch3
cisco	identity_services_engine	3.3.0:patch4
cisco	identity_services_engine	3.3.0:patch5
cisco	identity_services_engine	3.3.0:patch6
cisco	identity_services_engine	3.4.0
cisco	identity_services_engine	3.4.0:patch1
cisco	identity_services_engine_passive_identity_connector	𝑥 < 3.3.0
cisco	identity_services_engine_passive_identity_connector	3.3.0
cisco	identity_services_engine_passive_identity_connector	3.3.0:patch1
cisco	identity_services_engine_passive_identity_connector	3.3.0:patch2
cisco	identity_services_engine_passive_identity_connector	3.3.0:patch3
cisco	identity_services_engine_passive_identity_connector	3.3.0:patch4
cisco	identity_services_engine_passive_identity_connector	3.3.0:patch5
cisco	identity_services_engine_passive_identity_connector	3.3.0:patch6
cisco	identity_services_engine_passive_identity_connector	3.4.0
cisco	identity_services_engine_passive_identity_connector	3.4.0:patch1

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-302 - Authentication Bypass by Assumed-Immutable Data
The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-multi-3VpsXOxO