Cisco has issued a warning to enterprise administrators regarding two critical vulnerabilities in its Identity Services Engine (ISE), an identity and access management solution. These flaws, identified as CVE-2025-20124 and CVE-2025-20125, have been rated with a severity level of 9.9 and 9.1 out of 10, respectively.
Despite the need for attackers to initially acquire admin credentials, these vulnerabilities have been classified as critical due to the potential risks they pose. An authenticated remote attacker could exploit these flaws to execute arbitrary commands and elevate privileges on affected systems. The attacker must have valid read-only administrative credentials to carry out the exploitation.
The vulnerabilities affect certain APIs within Cisco ISE, exposing them to insecure deserialization of user-supplied Java byte streams. One of the vulnerabilities, CVE-2025-20124, could enable an authenticated remote attacker to execute arbitrary commands as the root user on a compromised device. Successful exploitation of this flaw could lead to arbitrary code execution and a significant escalation of privileges.
Another API vulnerability, designated as CVE-2025-20125, lacks proper authorization and validation of user-supplied data. This flaw could allow attackers with admin credentials to access sensitive information, modify node configurations, and restart the node. Roy Akerman, VP of Identity Security Strategy at Silverfort, highlighted the severity of these vulnerabilities, particularly emphasizing the risk of identity-based attacks and the potential for lateral movement across networks.
In response to these critical flaws, Cisco has released fixes for all affected versions of Cisco ISE and Cisco Passive Identity Connector (ISE-PIC) appliances. Versions prior to v3.4 are impacted, with fixes provided for different versions, including 3.1P10, 3.2p7, and 3.3p4. Users on versions 3.0 and earlier are advised to migrate to a fixed release to mitigate the vulnerabilities.
Cisco emphasized the importance of promptly applying these fixes, as there are no workarounds available for protection against exploitation. Customers with service contracts that include regular updates will receive the fixes as part of their standard service. Those without service contracts can obtain the upgrades by contacting Cisco TAC for assistance.
At present, there have been no reported instances of these vulnerabilities being exploited in the wild. However, the critical nature of these flaws underscores the urgency for enterprise administrators to update their systems to the latest patched versions to mitigate the risks associated with these vulnerabilities. Cisco’s proactive response to addressing these security issues demonstrates its commitment to safeguarding the integrity and security of its Identity Services Engine solution.