Cisco warns of CVE-2025-20337, a critical ISE flaw (CVSS 10) allowing remote code execution with root privileges.
Cisco addressed a critical vulnerability, tracked as CVE-2025-20337 (CVSS score of 10), in Identity Services Engine (ISE) and Cisco Identity Services Engine Passive Identity Connector (ISE-PIC). An attacker could trigger the vulnerability to execute arbitrary code on the underlying operating system with root privileges.
“Multiple vulnerabilities in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an unauthenticated, remote attacker to issue commands on the underlying operating system as the root user.” reads the report published by the IT giant.
The vulnerability CVE-2025-20337 is similar to another issue, tracked as CVE-2025-20281 that the company addressed in June. CVE-2025-20281 (CVSS score of 10) affects Cisco ISE/ISE-PIC 3.3+.
CVE-2025-20281 is a critical flaw in Cisco Identity Services Engine/ISE-PIC allowing unauthenticated remote attackers to execute code as root via a vulnerable API.
“These vulnerabilities [CVE-2025-20281 and CVE-2025-20337] are due to insufficient validation of user-supplied input. An attacker could exploit these vulnerabilities by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device.” continues the advisory.
Cisco advises upgrading to an enhanced fixed release to address CVE-2025-20337. If Cisco Identity Services Engine is running Release 3.4 Patch 2, no action is needed. For devices on Release 3.3 Patch 6, an upgrade to Patch 7 is required. Systems with hot patches ise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gz or ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz should be updated to Release 3.3 Patch 7 or 3.4 Patch 2, as these patches do not fix the vulnerability and have been withdrawn from Cisco’s official distribution.
| Cisco Identity Services Engine or ISE-PIC Release | First Fixed Release for CVE-2025-20281 | First Fixed Release for CVE-2025-20282 | First Fixed Release for CVE-2025-20337 |
|---|---|---|---|
| 3.2 and earlier | Not vulnerable | Not vulnerable | Not vulnerable |
| 3.3 | 3.3 Patch 7 | Not vulnerable | 3.3 Patch 7 |
| 3.4 | 3.4 Patch 2 | 3.4 Patch 2 | 3.4 Patch 2 |
The Cisco PSIRT is not aware of attacks in the wild explliting these vulnerabilities..
The researcher Kentaro Kawane of GMO Cybersecurity disclosed the flaw CVE-2025-20337 through the Trend Micro Zero Day Initiative.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Identity Services Engine)
