On June 25, 2025, Cisco released patches for two maximum-severity vulnerabilities in Cisco Identity Services Engine (ISE) and ISE-Passive Identity Connector (ISE-PIC). Both flaws allow unauthenticated, remote threat actors to execute commands on the underlying operating system with root privileges via exposed HTTPS APIs. Although similar in outcome, the vulnerabilities are independent and do not require each other to be exploited.
- CVE-2025-20281: Stems from insufficient validation of user-supplied input. A threat actor could send a crafted API request to execute arbitrary commands as the root user on an affected system.
- CVE-2025-20282: Caused by missing file validation checks, which allows a threat actor to upload files into privileged directories. A successful exploit could lead to arbitrary code execution or root-level access on the device.
Arctic Wolf has not observed exploitation of these vulnerabilities or identified any publicly available proof-of-concept (PoC) exploit. However, given the level of access these vulnerabilities provide and the historical targeting of Cisco products (as noted in CISA’s Known Exploited Vulnerabilities Catalog), threat actors may target these vulnerabilities in the future.
Recommendation for CVE-2025-20281 & CVE-2025-20282
Upgrade to Latest Fixed Release
Arctic Wolf strongly recommends that customers upgrade to the latest fixed release.
| Product | Vulnerability | Affected Release | Fixed Release |
| Cisco ISE or ISE-PIC | CVE-2025-20281 | 3.3 | 3.3 Patch 6 |
| Cisco ISE or ISE-PIC | CVE-2025-20281, CVE-2025-20282 | 3.4 | 3.4 Patch 2 |
- Note: 3.2 and earlier releases of Cisco ISE or ISE-PIC are not vulnerable to CVE-2025-20281 or CVE-2025-20282.
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
