CVE-2025-20281: Critical Unauthenticated RCE in Cisco ISE & ISE-PIC
Date: August 12, 2025
Author: B1ack4sh
Reference: https://github.com/B1ack4sh/Blackash-CVE-2025-20281
Overview
CVE-2025-20281 is a critical remote code execution (RCE) vulnerability affecting Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC). The flaw allows unauthenticated, remote attackers to execute arbitrary commands as root due to insufficient validation of user-supplied input in a specific API endpoint.
The vulnerability has a CVSS v3.1 score of 9.8/10, indicating maximum severity.
Affected Versions
- Vulnerable: Cisco ISE / ISE-PIC 3.3 and 3.4.0
- Not affected: Cisco ISE / ISE-PIC 3.2 and earlier
Fixes & Mitigation
Cisco released patches on June 25, 2025:
- ISE / ISE-PIC 3.3 → Patch 6
- ISE / ISE-PIC 3.4 → Patch 2
No workarounds are available — patching is the only remediation.
Exploitation Details
The flaw resides in the enableStrongSwanTunnel method of the DescriptionRegistrationListener class. Improper input validation allows command injection that executes with root privileges.
Proof-of-concept code has been released, and the vulnerability has been actively exploited since July 2025. The U.S. CISA has added it to the Known Exploited Vulnerabilities (KEV) Catalog with a remediation deadline of August 18, 2025.
Recommendations
- Apply security patches immediately to versions 3.3 Patch 6 or 3.4 Patch 2.
- Audit all deployments to identify unpatched systems.
- Restrict API access — expose ISE management interfaces only to trusted networks.
- Monitor logs for suspicious API activity.
- Use security scanners to verify patching and detect exploitation attempts.
Summary Table
| Aspect | Details |
|------------------|--------------------------------------|
| Impact | Remote unauthenticated RCE as root |
| Severity | CVSS v3.1 — 9.8 |
| Affected Versions| Cisco ISE / ISE-PIC 3.3, 3.4.0 |
| Fixed Versions | 3.3 Patch 6, 3.4 Patch 2 |
| Exploitation | Active in the wild |
| Author (PoC) | B1ack4sh |
| Reference | GitHub Repo |
Conclusion
CVE-2025-20281 is among the most dangerous vulnerabilities recently disclosed in Cisco ISE, providing attackers with unauthenticated root access. With confirmed active exploitation, immediate patching and strict access controls are essential to mitigate this risk.
Support Crack-Vault and help us keep providing free tools. Every donation counts!
(BTC) Address: bc1qhhva8uplmkaa3kkwxnux9t3y6l6kmhnwqzktzn
