Cisco Warns of Active Exploits in ISE Products, Allowing Root Access
Cisco has warned of active exploitation of critical vulnerabilities in its Identity Services Engine (ISE) and ISE-PIC products. The attacks, first observed in July 2025, allow unauthenticated remote attackers to execute commands on the underlying operating system with root privileges.
The vulnerabilities, identified as CVE-2025-20281, CVE-2025-20282, and CVE-2025-20337, enable attackers to upload and execute files as root via an internal API (CVE-2025-20282) and execute arbitrary code on the underlying OS with root privileges (CVE-2025-20281, CVE-2025-20337).
Cisco first noticed these attacks in July 2025, but the identity of the attackers remains unknown. The company urges customers to upgrade to a fixed software release to mitigate these serious security flaws.
Cisco confirms active exploitation of severe vulnerabilities in ISE and ISE-PIC. The attacks allow arbitrary code execution with root privileges, posing a significant risk to affected systems. Cisco advises customers to promptly upgrade to patched software to protect against further attacks.
