Article Details

Critical Cisco ISE bug can let attackers run commands as root. Cisco has released patches to fix two critical vulnerabilities in its Identity Services Engine (ISE) security policy management platform. Enterprise administrators use Cisco ISE as an identity and access management (IAM) solution that combines authentication, authorization, and accounting into a single appliance. The two security flaws (CVE-2025-20124 and CVE-2025-20125) can be exploited by authenticated remote attackers with read-only admin privileges to execute arbitrary commands as root and bypass authorization on unpatched devices. These vulnerabilities impact Cisco ISE and Cisco ISE Passive Identity Connector (ISE-PIC) appliances, regardless of device configuration. "This vulnerability is due to insecure deserialization of user-supplied Java byte streams by the affected software," Cisco said, describing the CVE-2025-20124 bug tagged with a 9.9/10 severity rating. "An attacker could exploit this vulnerability by sending a crafted serialized Java object to an affected API. A successful exploit could allow the attacker to execute arbitrary commands on the device and elevate privileges." CVE-2025-20125 is caused by a lack of authorization in a specific API and improper validation of user-supplied data, which can be exploited using maliciously crafted HTTP requests to obtain information, modify a vulnerable system's configuration, and reload the device. Admins are advised to migrate or upgrade their Cisco ISE appliances to one of the fixed releases listed in the table below as soon as possible. Cisco's Product Security Incident Response Team (PSIRT) has yet to discover evidence of publicly available exploit code or that the two critical security flaws (reported by Deloitte security researchers Dan Marin and Sebastian Radulea) have been abused in attacks. On Wednesday, the company also warned of high-severity vulnerabilities impacting its IOS, IOS XE, IOS XR (CVE-2025-20169, CVE-2025-20170, CVE-2025-20171) and NX-OS (CVE-2024-20397) software that can let attackers trigger denial of service (DoS) conditions or bypass NX-OS image signature verification. Cisco has yet to patch the DoS vulnerabilities impacting IOS, IOS XE, and IOS XR software with the SNMP feature enabled. However, it said they're not exploited in the wild and provided mitigation measures requiring admins to disable vulnerable object identifiers (OIDs) on vulnerable devices (although this could negatively impact network functionality or performance). The company plans to roll out software updates to address the SNMP DoS security bugs in February and March. In September, Cisco fixed another Identity Services Engine vulnerability (with public exploit code) that lets threat actors escalate privileges to root on vulnerable appliances. Two months later, it also patched a maximum severity vulnerability that allows attackers to run commands with root privileges on vulnerable Ultra-Reliable Wireless Backhaul (URWB) access points.