Cisco recently issued security patches to rectify a critical vulnerability in the Identity Services Engine (ISE). This flaw could potentially be exploited by unauthorized individuals to carry out malicious activities on vulnerable systems.
The vulnerability, identified as CVE-2025-20286 and rated with a CVSS score of 9.9, is categorized as a static credential vulnerability.
The company stated, “A security flaw in cloud deployments of Cisco Identity Services Engine (ISE) on Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) could allow remote attackers to access sensitive information, perform limited administrative tasks, alter system configurations, or disrupt services within the affected systems.”
Credit for discovering the flaw goes to Kentaro Kawane of GMO Cybersecurity. Cisco acknowledged the existence of a proof-of-concept (PoC) exploit but confirmed no reported instances of malicious exploitation in the wild.
The vulnerability arises due to improper credential generation during the deployment of Cisco ISE on cloud platforms. This results in shared credentials across various deployments as long as the software release and cloud platform remain consistent.
Successful exploitation of the vulnerability could lead to unauthorized access to sensitive data, limited administrative operations, changes in system configurations, or service disruptions. It is important to note that only Primary Administration nodes deployed in the cloud are affected, while those on-premises remain unaffected.
The affected versions include:
- AWS – Cisco ISE 3.1, 3.2, 3.3, and 3.4
- Azure – Cisco ISE 3.2, 3.3, and 3.4
- OCI – Cisco ISE 3.2, 3.3, and 3.4
Cisco advises users to restrict traffic to authorized administrators or utilize the “application reset-config ise” command to reset user passwords. However, running the command will reset Cisco ISE to its factory configuration.
