Cisco has fixed two critical vulnerabilities in its Identity Services Engine (ISE) that could allow an authenticated, remote attacker to execute arbitrary commands as root, obtain sensitive information, change configurations and reboot affected devices.
Exploiting these vulnerabilities with CVSS scores of 9.9 and 9.1 on a scale of 10 requires valid administrator credentials with read-only privileges. If a malicious person manages to steal or purchase these admin login credentials, that person can silently gain full control of the equipment. This even after one thought to have kept the attacker out.
NCC Group attributed an increase in ransomware attacks last year in part to compromised login credentials. This indicates that such credentials are not too difficult to obtain. Malicious insiders can also exploit these vulnerabilities.
Both vulnerabilities affect Cisco ISE and Cisco ISE Passive Identity Connector (ISE-PIC) versions 3.0 to 3.3. This is regardless of device configuration. Patches are available for both versions. Version 3.4 is not susceptible to these vulnerabilities. Users of older, affected versions are advised to upgrade to a patched release as stated in the security advisory.
Cisco has also provided instructions on how to upgrade a device, which can be found in the Upgrade Guides documentation on the Cisco Identity Services Engine support page.
No active exploits
As far as we know, there are no active exploits in circulation at this time. The first vulnerability, CVE-2025-20124, results from insecure deserialization of user-provided Java byte streams in Cisco ISE, network access control software that enforces security policies and manages endpoints in enterprise IT environments.
The vulnerability resides in an API of Cisco ISE and can be exploited by sending a specially formatted serialized Java object to the affected API. A successful exploit can allow the attacker to execute arbitrary commands on the device and elevate privileges, Cisco warned in its security advisory.
Cisco awarded the discovery and reporting of this vulnerability to Dan Marin and Sebastian Radulea of Deloitte. The second vulnerability, an authorization bypass, is tracked under CVE-2025-20125 and was also disclosed by Radulea.
Stealing sensitive information
A vulnerability in a Cisco ISE API could allow an authenticated, remote attacker with valid read-only credentials to obtain sensitive information, change node configurations and reboot the node, reads a warning from Cisco itself.
This vulnerability arises because a specific API does not perform authorization checks. Or not validating user credentials correctly. It can be triggered by sending an HTTP request to the API on the device.
Cisco emphasizes that the vulnerabilities are not interdependent. This means it is not necessary to exploit one to also exploit the other. Both critical security vulnerabilities follow an earlier vulnerability with a score of 9.9 in Cisco’s Meeting Management tool. That one allowed an authenticated remote attacker with low privileges to gain administrator privileges on affected devices. Cisco fixed that vulnerability several weeks ago.
Also read: When is a critical vulnerability actually dangerous?