Critical Vulnerabilities in Cisco Identity Services Engine (CVE-2025-20281, CVE-2025-20282)

Published On: Jun 30, 2025 12:50

Advisory No: TZCERT-SA-25-0105

Source: Cisco

Software Affected: Cisco ISE and Cisco ISE-PIC

Overview

Cisco ISE and Cisco ISE-PIC are affected by critical vulnerabilities. The vulnerabilities could allow a remote attacker to execute arbitrary code on the affected device.

Description

Cisco ISE and Cisco ISE-PIC are affected by critical vulnerabilities tracked as CVE-2025-20281 and CVE-2025-20282 with CVSS base score of 10 each. The vulnerabilities result from insufficient validation of user-supplied input and due a lack of file validation checks that would prevent uploaded files from being placed in privileged directories on an affected system. Successful exploitation of these vulnerabilities could allow an remote attacker to store malicious files on the affected system and then execute arbitrary code or obtain root privileges on the system.

Impact

Successful exploitation of these vulnerabilities may allow the attacker to take control of the affected system.

Solution

Cisco has released patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

Subscribe To TZ - CERT Newsletter

A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.

Subscribe
Report Incident