Watch out, another max-severity Cisco bug on the loose

Posted on by Robin Edgar

Cisco has issued a patch for a critical 10 out of 10 severity bug in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that could allow an unauthenticated, remote attacker to run arbitrary code on the operating system with root-level privileges.

ISE is a network access control and security policy management platform, and ISE-PIC centralizes identity management across security tools. And this vulnerability, tracked as CVE-2025-20337, is about the worst of the worst, allowing miscreants to take total control of compromised computers easily. In other words – patch now.

The vendor disclosed CVE-2025-20337 on Wednesday in an update to a June security advisory about two other max-severity flaws in the same products. The new bug is related to CVE-2025-20281, one of the two disclosed in June, which also received a 10 CVSS rating and affects ISE and ISE-PIC releases 3.3 and 3.4, regardless of device configuration.

“These vulnerabilities are due to insufficient validation of user-supplied input,” Cisco noted. “An attacker could exploit these vulnerabilities by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device.”

There are no workarounds, but Cisco has released a software update that fixes both flaws, along with another critical-rated bug tracked as CVE-2025-20282 disclosed in June.

The vendor noted that since the original publication of the security advisory last month, “improved fixed releases have become available” and customers should upgrade as follows:

  • If Cisco ISE is running Release 3.4 Patch 2, no further action is necessary.
  • If Cisco ISE is running Release 3.3 Patch 6, additional fixes are available in Release 3.3 Patch 7, and the device must be upgraded.
  • If Cisco ISE has either hot patch ise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gz or hot patch ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz installed, Cisco recommends upgrading to Release 3.3 Patch 7 or Release 3.4 Patch 2. The hot patches did not address CVE-2025-20337.
  • […]

Source: Watch out, another max-severity Cisco bug on the loose • The Register

Robi nEdgar sitting in a chair

Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft

 robin@edgarbv.com  https://www.edgarbv.com