A serious security flaw in Cisco Identity Services Engine (ISE) running on Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) allows remote attackers to gain access to sensitive data and modify system settings.
The vulnerability, designated CVE-2025-20286, has a CVSS score of 9.9 on a scale of 10, according to Darkreading. The problem arises because Cisco ISE generates incorrect user data when installed in the cloud. As a result, different implementations of Cisco ISE on the same software version and cloud platform share identical login credentials.
Researchers indicate that malicious parties can exploit this static password vulnerability by obtaining user data from a cloud-based Cisco ISE. They can then use this to log in to other Cisco ISE systems running on similar cloud environments via unsecured ports.
According to the researchers, a successful attack would allow an attacker to view sensitive data and perform limited administrative tasks, change settings, or disrupt systems.
The affected platforms are:
- AWS versions 3.1 to 3.4
- Azure versions 3.2 to 3.4
- Oracle Cloud (OCI) versions 3.2 to 3.4
Mitigating measures
There are no temporary solutions that completely resolve this vulnerability. However, Cisco reports that some mitigating measures are available.
- Allow source IP addresses via Cloud Security Groups: By only allowing the IP addresses of customer administrators who use security groups on cloud platforms, access is restricted to authorized administrators before traffic reaches the Cisco ISE instance. This effectively blocks malicious connections.
- Allow source IP addresses in Cisco ISE: Customer administrator IP addresses can be allowed via the Cisco ISE user interface.
For new installations, the command application reset-config ISE can be executed to reset user passwords. This command only needs to be executed on the node with the Primary Administration persona in the cloud. Secondary nodes do not need to be reset. If the Primary Administration persona is running on-premises, it is not necessary to execute the command.
Although these mitigating measures have been successfully tested in a test environment, customers should assess whether these measures are applicable and effective within their own network and usage conditions. Customers should be aware that implementing temporary solutions or mitigating measures may have a negative impact on the operation or performance of their network, depending on their specific implementation and limitations. It is important not to implement any measures without first carefully evaluating the impact on your own environment.
Cisco confirms that a proof-of-concept exists for the vulnerability, but there are no indications that the vulnerability has been exploited in real-world environments.