Article Details

Critical Cisco ISE Auth Bypass Flaw Impacts Cloud Deployments on AWS, Azure, and OCI. Cisco has released security patches to address a critical security flaw impacting the Identity Services Engine (ISE) that, if successfully exploited, could allow unauthenticated actors to carry out malicious actions on susceptible systems. The security defect, tracked as CVE-2025-20286, carries a CVSS score of 9.9 out of 10.0. It has been described as a static credential vulnerability. "A vulnerability in Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) cloud deployments of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems," the company said in an advisory. The networking equipment maker, which credited Kentaro Kawane of GMO Cybersecurity for reporting the flaw, noted it's aware of the existence of a proof-of-concept (PoC) exploit. There is no evidence that it has been maliciously exploited in the wild. Cisco said the issue stems from the fact that credentials are improperly generated when Cisco ISE is being deployed on cloud platforms, causing different deployments to share the same credentials as long as the software release and cloud platform are the same. Put differently, the static credentials are specific to each release and platform, but are not valid across platforms. As the company highlights, all instances of Cisco ISE release 3.1 on AWS will have the same static credentials. However, credentials that are valid for access to a release 3.1 deployment would not be valid to access a release 3.2 deployment on the same platform. Furthermore, Release 3.2 on AWS would not have the same credentials as Release 3.2 on Azure. Successful exploitation of the vulnerability could permit an attacker to extract the user credentials from the Cisco ISE cloud deployment and then use it to access Cisco ISE deployed in other cloud environments through unsecured ports. This could ultimately allow unauthorized access to sensitive data, execution of limited administrative operations, changes to system configurations, or service disruptions. That said, Cisco ISE is only affected in cases where the Primary Administration node is deployed in the cloud. Primary Administration nodes that are on-premises are not impacted. The following versions are affected - While there are no workarounds to address CVE-2025-20286, Cisco is recommending that users restrict traffic to authorized administrators or run the "application reset-config ise" command to reset user passwords to a new value. However, it bears noting that running the command will reset Cisco ISE to the factory configuration.