On June 4, 2025, Cisco released fixes for multiple vulnerabilities, several of which were noted to have publicly available proof-of-concept (PoC) exploit code. The most severe issue, CVE-2025-20286, affects cloud deployments of Cisco Identity Services Engine (ISE) on Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI). When exploited, it could allow an unauthenticated, remote threat actor to access sensitive data, execute certain administrative operations, modify system configurations, or disrupt services within the impacted systems.
CVE-2025-20286 arises from improperly generated credentials during cloud deployment, causing identical credentials to be shared across different Cisco ISE instances running the same platform and software release. The vulnerability is exploitable only if the Primary Administration Node is deployed in the cloud; on-premises deployments are not affected.
Cisco ISE is a widely used network access control solution that manages identity and policy enforcement across enterprise networks.
In addition to CVE-2025-20286, Cisco disclosed two medium severity vulnerabilities, both of which have publicly available PoC exploit code:
- CVE-2025-20130: An arbitrary file upload vulnerability in Cisco ISE.
- CVE-2025-20129: An information disclosure vulnerability in the Cisco Customer Collaboration Platform (formerly Cisco SocialMiner).
Arctic Wolf has not observed exploitation of these vulnerabilities. However, due to the public availability of PoC exploit code and the historical targeting of Cisco products (as evidenced in CISA’s Known Exploited Vulnerabilities catalog), threat actors may attempt to exploit these vulnerabilities in the future.
Recommendation For CVE-2025-20286
Upgrade to Latest Fixed Release
Arctic Wolf strongly recommends that customers upgrade to the latest fixed release of the products listed below.
| Affected Product | Vulnerability | Affected Release | First Fixed Release |
| Cisco ISE |
|
3.0 and earlier | Migrate to a fixed release. |
|
3.1 |
|
|
|
3.2 |
|
|
|
3.3 |
|
|
|
3.4 | 3.4P3 (October 2025) | |
|
3.5 | Planned release (Aug 2025) | |
| Cisco CCP |
|
Earlier than 12.5(1) SU2 | Migrate to a fixed release. |
|
12.5(1) SU2 | Migrate to a fixed release. | |
|
12.5(1) SU4 | Migrate to a fixed release. | |
|
15.0 | Not vulnerable. Note: The fixed software for CCP/SocialMiner is included in the Unified Contact Center Express 15.0(1) download. |
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
- Note: If the Primary Administration node is deployed in the cloud, then Cisco ISE is affected by CVE-2025-20286. If the Primary Administration node is on-premises, then it is not affected.
References
Resources
