CVE-2025-20282
BaseFortify
Publication date: 2025-06-25
Last updated on: 2025-06-26
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | identity_services_engine | 3.4.0 |
| cisco | identity_services_engine | 3.4.0 |
| cisco | identity_services_engine_passive_identity_connector | 3.4.0 |
| cisco | identity_services_engine_passive_identity_connector | 3.4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
An attacker exploiting this vulnerability could execute arbitrary code with root privileges on the affected system, potentially leading to full system compromise, unauthorized access, data theft, or disruption of services.
Can you explain this vulnerability to me?
This vulnerability exists in an internal API of Cisco ISE and Cisco ISE-PIC, allowing an unauthenticated remote attacker to upload arbitrary files to the device. Due to a lack of file validation, the attacker can place files in privileged directories and execute them with root privileges on the underlying operating system.