On July 16, 2025, Cisco updated its advisory—originally published in late June—to include a third maximum-severity vulnerability affecting Cisco Identity Services Engine (ISE) and ISE-Passive Identity Connector (ISE-PIC), tracked as CVE-2025-20337. All three vulnerabilities allow unauthenticated, remote threat actors to execute arbitrary commands on the underlying operating system with root privileges via exposed APIs.
- CVE-2025-20281 and CVE-2025-20337: Stems from insufficient validation of user-supplied input. A threat actor could send a crafted API request to execute arbitrary commands as the root user on an affected system without any credentials needed.
- CVE-2025-20282: Caused by missing file validation checks in an internal API, which allows a threat actor to upload files into privileged directories. A successful exploit could lead to arbitrary code execution or root-level access on the device.
Arctic Wolf has not observed exploitation of these vulnerabilities or identified any publicly available proof-of-concept (PoC) exploit. However, given the level of access these vulnerabilities provide and the historical targeting of Cisco products (as noted in CISA’s Known Exploited Vulnerabilities Catalog), threat actors may target these vulnerabilities in the future.
Arctic Wolf has assessed our own environment for impact from these vulnerabilities and have determined that we are not affected.
Recommendation
Upgrade to Latest Fixed Release
Arctic Wolf strongly recommends that customers upgrade to the latest fixed release.
| Product | Affected Release | Vulnerability | Fixed Release |
|---|---|---|---|
| Cisco ISE or ISE-PIC | 3.3 | CVE-2025-20281, CVE-2025-20337 | 3.3 Patch 7 |
| Cisco ISE or ISE-PIC | 3.4 | CVE-2025-20281, CVE-2025-20282, CVE-2025-20337 | 3.4 Patch 2 |
- Cisco ISE and ISE-PIC releases version 3.2 and earlier are not affected by any of the three vulnerabilities outlined in this bulletin.
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
References
Cisco Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6
