CVE-2025-20286
BaseFortify
Publication date: 2025-06-04
Last updated on: 2025-10-15
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | identity_services_engine | 3.1.0 |
| cisco | identity_services_engine | 3.1.0 |
| cisco | identity_services_engine | 3.1.0 |
| cisco | identity_services_engine | 3.1.0 |
| cisco | identity_services_engine | 3.1.0 |
| cisco | identity_services_engine | 3.1.0 |
| cisco | identity_services_engine | 3.1.0 |
| cisco | identity_services_engine | 3.1.0 |
| cisco | identity_services_engine | 3.1.0 |
| cisco | identity_services_engine | 3.1.0 |
| cisco | identity_services_engine | 3.1.0 |
| cisco | identity_services_engine | 3.2.0 |
| cisco | identity_services_engine | 3.2.0 |
| cisco | identity_services_engine | 3.2.0 |
| cisco | identity_services_engine | 3.2.0 |
| cisco | identity_services_engine | 3.2.0 |
| cisco | identity_services_engine | 3.2.0 |
| cisco | identity_services_engine | 3.2.0 |
| cisco | identity_services_engine | 3.2.0 |
| cisco | identity_services_engine | 3.3.0 |
| cisco | identity_services_engine | 3.3.0 |
| cisco | identity_services_engine | 3.3.0 |
| cisco | identity_services_engine | 3.3.0 |
| cisco | identity_services_engine | 3.3.0 |
| cisco | identity_services_engine | 3.3.0 |
| cisco | identity_services_engine | 3.4.0 |
| cisco | identity_services_engine | 3.4.0 |
| amazon | amazon_web_services | * |
| cisco | identity_services_engine | 3.2.0 |
| cisco | identity_services_engine | 3.2.0 |
| cisco | identity_services_engine | 3.2.0 |
| cisco | identity_services_engine | 3.2.0 |
| cisco | identity_services_engine | 3.2.0 |
| cisco | identity_services_engine | 3.2.0 |
| cisco | identity_services_engine | 3.2.0 |
| cisco | identity_services_engine | 3.2.0 |
| cisco | identity_services_engine | 3.3.0 |
| cisco | identity_services_engine | 3.3.0 |
| cisco | identity_services_engine | 3.3.0 |
| cisco | identity_services_engine | 3.3.0 |
| cisco | identity_services_engine | 3.3.0 |
| cisco | identity_services_engine | 3.3.0 |
| cisco | identity_services_engine | 3.4.0 |
| cisco | identity_services_engine | 3.4.0 |
| microsoft | azure | * |
| cisco | identity_services_engine | 3.2.0 |
| cisco | identity_services_engine | 3.2.0 |
| cisco | identity_services_engine | 3.2.0 |
| cisco | identity_services_engine | 3.2.0 |
| cisco | identity_services_engine | 3.2.0 |
| cisco | identity_services_engine | 3.2.0 |
| cisco | identity_services_engine | 3.2.0 |
| cisco | identity_services_engine | 3.2.0 |
| cisco | identity_services_engine | 3.3.0 |
| cisco | identity_services_engine | 3.3.0 |
| cisco | identity_services_engine | 3.3.0 |
| cisco | identity_services_engine | 3.3.0 |
| cisco | identity_services_engine | 3.3.0 |
| cisco | identity_services_engine | 3.3.0 |
| cisco | identity_services_engine | 3.4.0 |
| cisco | identity_services_engine | 3.4.0 |
| oracle | cloud_infrastructure | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-259 | The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to Cisco ISE deployments by configuring cloud security groups and Cisco ISE itself to allow only authorized administrator source IP addresses. For fresh installations or to remediate existing deployments, run the command `application reset-config ise` on the Primary Administration node deployed in the cloud to reset user passwords to new values; note this resets the device to factory defaults and should be used cautiously. Additionally, customers should upgrade to Cisco ISE fixed releases (3.3P8, 3.4P3, or planned 3.5) as soon as they are available. If you do not have valid licenses or service contracts, contact Cisco TAC for assistance. [1]
Can you explain this vulnerability to me?
This vulnerability affects Cisco Identity Services Engine (ISE) deployed on cloud platforms like AWS, Microsoft Azure, and Oracle Cloud Infrastructure. It occurs because Cisco ISE generates static credentials improperly during deployment, causing multiple instances on the same software release and cloud platform to share identical credentials. An unauthenticated remote attacker can extract these shared credentials from one deployment and use them to access other deployments on the same platform and release through unsecured ports. This allows the attacker to access sensitive data, perform limited administrative operations, modify system configurations, or disrupt services. The vulnerability only affects deployments where the Primary Administration node is in the cloud. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to gain unauthorized access to sensitive data within Cisco ISE deployments, execute limited administrative operations, change system configurations, or disrupt services. This can compromise the security and availability of your Cisco ISE cloud deployments, potentially affecting network access control and security policies managed by Cisco ISE. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves checking if your Cisco ISE deployment on AWS, Azure, or OCI is running affected releases (3.1 to 3.4) with the Primary Administration node deployed in the cloud. Since the vulnerability involves shared static credentials, you can attempt to verify if identical credentials are used across multiple deployments on the same platform and release. Additionally, monitoring for unauthorized access attempts via unsecured ports may help detect exploitation. For fresh installations or to verify credential resets, you can run the command `application reset-config ise` on the Primary Administration node to reset passwords, which also confirms the node's status. However, no specific detection commands beyond this are provided. [1]