A fully detailed exploit has been publicly released for critical vulnerabilities in Cisco Identity Services Engine (ISE) that are actively being leveraged by threat actors. This development significantly escalates the risk for organizations worldwide, urging immediate patching of affected systems.
Cisco had previously confirmed active exploitation of two maximum-severity vulnerabilities, CVE-2025-20281 and CVE-2025-20337, in its ISE platform. These flaws, both rated with a CVSS score of 10.0, allow unauthenticated remote attackers to execute arbitrary code with root privileges on the underlying operating system. A third vulnerability, CVE-2025-20282, also rated critical, allows for arbitrary file uploads and execution.
The recently published exploit, developed by security researcher Bobby Gould of Trend Micro Zero Day Initiative, provides a comprehensive technical breakdown and payload structure for CVE-2025-20281. While not a ready-to-use script for unsophisticated attackers, it furnishes enough detail for skilled malicious actors to recreate the exploit chain, facilitating wider attacks.
Cisco ISE is a crucial network access control solution, central to managing user and device authentication and enforcing security policies across enterprise networks. A compromise of ISE can grant attackers unrestricted access to internal systems, bypassing critical security controls and potentially leading to widespread network compromise, data exfiltration, and disruption of services.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-20281 and CVE-2025-20337 to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal civilian executive branch agencies to apply necessary updates by August 18, 2025. This move underscores the severe and immediate threat these vulnerabilities pose.
Organizations utilizing Cisco ISE or ISE Passive Identity Connector (ISE-PIC) versions 3.3 and 3.4 are particularly vulnerable. Patches are available in ISE 3.3 Patch 7 and 3.4 Patch 2. There are no known workarounds, making immediate application of these security updates paramount. Security teams are strongly advised to not only patch but also to review system logs for any suspicious API activity or unauthorized file uploads, especially on externally exposed deployments.
