CVE-2025-20281
BaseFortify
Publication date: 2025-06-25
Last updated on: 2025-10-28
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | identity_services_engine | 3.3.0 |
| cisco | identity_services_engine | 3.3.0 |
| cisco | identity_services_engine | 3.3.0 |
| cisco | identity_services_engine | 3.3.0 |
| cisco | identity_services_engine | 3.3.0 |
| cisco | identity_services_engine | 3.3.0 |
| cisco | identity_services_engine | 3.3.0 |
| cisco | identity_services_engine | 3.4.0 |
| cisco | identity_services_engine | 3.4.0 |
| cisco | identity_services_engine_passive_identity_connector | 3.3.0 |
| cisco | identity_services_engine_passive_identity_connector | 3.3.0 |
| cisco | identity_services_engine_passive_identity_connector | 3.3.0 |
| cisco | identity_services_engine_passive_identity_connector | 3.3.0 |
| cisco | identity_services_engine_passive_identity_connector | 3.3.0 |
| cisco | identity_services_engine_passive_identity_connector | 3.3.0 |
| cisco | identity_services_engine_passive_identity_connector | 3.3.0 |
| cisco | identity_services_engine_passive_identity_connector | 3.4.0 |
| cisco | identity_services_engine_passive_identity_connector | 3.4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability (CVE-2025-20281) affects Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) versions 3.3 and later. It allows an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system with root privileges by submitting a specially crafted API request. The root cause is insufficient validation of user-supplied input in a specific API, enabling the attacker to gain full control of the affected device without needing any credentials. [1]
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to an attacker gaining root-level access to the affected device remotely without authentication. This means the attacker can execute arbitrary code, potentially compromising the confidentiality, integrity, and availability of the system. Such control could allow the attacker to manipulate data, disrupt services, or use the device as a foothold for further attacks within the network. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There are no specific detection commands or methods provided for this vulnerability. Detection would likely involve monitoring for unusual API requests or attempts to submit crafted API requests to Cisco ISE or ISE-PIC versions 3.3 and later, but no explicit commands or detection tools are mentioned. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Cisco ISE and Cisco ISE-PIC to the fixed releases: for CVE-2025-20281, upgrade to Cisco ISE/ISE-PIC 3.3 Patch 6 (ise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gz). There are no workarounds available. Customers should verify hardware and software compatibility before upgrading and follow Cisco's official update guidance. [1]