CVE-2025-20264
BaseFortify
Publication date: 2025-06-25
Last updated on: 2025-07-08
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | identity_services_engine | 3.0.0 |
| cisco | identity_services_engine | 3.0.0 |
| cisco | identity_services_engine | 3.0.0 |
| cisco | identity_services_engine | 3.0.0 |
| cisco | identity_services_engine | 3.0.0 |
| cisco | identity_services_engine | 3.0.0 |
| cisco | identity_services_engine | 3.0.0 |
| cisco | identity_services_engine | 3.0.0 |
| cisco | identity_services_engine | 3.0.0 |
| cisco | identity_services_engine | 3.1.0 |
| cisco | identity_services_engine | 3.1.0 |
| cisco | identity_services_engine | 3.1.0 |
| cisco | identity_services_engine | 3.1.0 |
| cisco | identity_services_engine | 3.1.0 |
| cisco | identity_services_engine | 3.1.0 |
| cisco | identity_services_engine | 3.1.0 |
| cisco | identity_services_engine | 3.1.0 |
| cisco | identity_services_engine | 3.1.0 |
| cisco | identity_services_engine | 3.1.0 |
| cisco | identity_services_engine | 3.1.0 |
| cisco | identity_services_engine | 3.2.0 |
| cisco | identity_services_engine | 3.2.0 |
| cisco | identity_services_engine | 3.2.0 |
| cisco | identity_services_engine | 3.2.0 |
| cisco | identity_services_engine | 3.2.0 |
| cisco | identity_services_engine | 3.2.0 |
| cisco | identity_services_engine | 3.2.0 |
| cisco | identity_services_engine | 3.2.0 |
| cisco | identity_services_engine | 3.3.0 |
| cisco | identity_services_engine | 3.3.0 |
| cisco | identity_services_engine | 3.3.0 |
| cisco | identity_services_engine | 3.3.0 |
| cisco | identity_services_engine | 3.3.0 |
| cisco | identity_services_engine | 3.4.0 |
| cisco | identity_services_engine | 3.4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an authorization bypass in the web-based management interface of Cisco Identity Services Engine (ISE) that affects users created through SAML Single Sign-On (SSO) integration with an external identity provider. Due to insufficient authorization enforcement, an authenticated remote attacker can bypass controls for certain administrative functions by submitting specific commands. This allows the attacker to modify some system settings, including triggering a system restart. [1]
How can this vulnerability impact me? :
Exploiting this vulnerability could allow an attacker to change limited system settings and potentially restart the Cisco ISE system. In single-node deployments, this restart can cause devices that are not authenticated to the network to fail authentication until the system is back online, potentially disrupting network access and availability. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should apply the software updates provided by Cisco. Specifically, upgrade affected Cisco ISE software releases to fixed versions: for 3.2, upgrade to 3.2P8 or later; for 3.3, upgrade to 3.3P5 or later; and for 3.4, upgrade to 3.4P2 or later. For versions 3.1 and earlier, migration to a fixed release is required. There are no workarounds available, so timely application of these updates is critical. Additionally, consult Ciscoβs upgrade guides and verify hardware and software compatibility before upgrading. [1]