Cisco has dropped patches for a pair of critical vulnerabilities that could allow unauthenticated remote attackers to execute code on vulnerable systems.
Tracked as CVE-2025-20281 and CVE-2025-20282, Cisco assigned them both maximum 10/10 severity ratings, although the former was reduced to 9.8 by the National Vulnerability Database.
Both bugs affect Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC), allowing attackers to execute code on the underlying OS as root.
Put simply, it means they are both about as bad as they come.
ISE is a network access control solution, which can be found running on secure network servers, VMs, and some cloud instances.
ISE-PIC is used in the user authentication process, passively gathering up identity data and feeding it into other security tools.
Cisco said the two vulnerabilities are independent – they can be exploited individually, and exploiting one is not a requirement for exploiting the other.
[…]
Source: Cisco fixes two critical make-me-root bugs • The Register
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft