CVE-2025-20285
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-16

Last updated on: 2025-07-22

Assigner: Cisco Systems, Inc.

Description
A vulnerability in the IP Access Restriction feature of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to bypass configured IP access restrictions and log in to the device from a disallowed IP address. This vulnerability is due to improper enforcement of access controls that are configured using the IP Access Restriction feature. An attacker could exploit this vulnerability by logging in to the API from an unauthorized source IP address. A successful exploit could allow the attacker to gain access to the targeted device from an IP address that should have been restricted. To exploit this vulnerability, the attacker must have valid administrative credentials.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-16
Last Modified
2025-07-22
Generated
2026-05-07
AI Q&A
2025-07-16
EPSS Evaluated
2026-05-05
NVD
CVE-2025-20285
EUVD
EUVD-2025-21709
Affected Vendors & Products
Showing 20 associated CPEs
Vendor Product Version / Range
cisco identity_services_engine to 3.3.0 (exc)
cisco identity_services_engine 3.3.0
cisco identity_services_engine 3.3.0
cisco identity_services_engine 3.3.0
cisco identity_services_engine 3.3.0
cisco identity_services_engine 3.3.0
cisco identity_services_engine 3.3.0
cisco identity_services_engine 3.3.0
cisco identity_services_engine 3.4.0
cisco identity_services_engine 3.4.0
cisco identity_services_engine_passive_identity_connector to 3.3.0 (exc)
cisco identity_services_engine_passive_identity_connector 3.3.0
cisco identity_services_engine_passive_identity_connector 3.3.0
cisco identity_services_engine_passive_identity_connector 3.3.0
cisco identity_services_engine_passive_identity_connector 3.3.0
cisco identity_services_engine_passive_identity_connector 3.3.0
cisco identity_services_engine_passive_identity_connector 3.3.0
cisco identity_services_engine_passive_identity_connector 3.3.0
cisco identity_services_engine_passive_identity_connector 3.4.0
cisco identity_services_engine_passive_identity_connector 3.4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-302 The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the IP Access Restriction feature of Cisco ISE and Cisco ISE-PIC. It allows an authenticated remote attacker who has valid administrative credentials to bypass the configured IP access restrictions and log in to the device from an IP address that should be disallowed. The issue is caused by improper enforcement of access controls configured via the IP Access Restriction feature, enabling the attacker to access the device's API from unauthorized IP addresses.


How can this vulnerability impact me? :

This vulnerability can impact you by allowing an attacker with valid administrative credentials to bypass IP-based access controls and gain unauthorized access to your Cisco ISE or Cisco ISE-PIC device from disallowed IP addresses. This could lead to unauthorized administrative actions or changes on the device, potentially compromising the security and integrity of your network environment.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart