Two critical vulnerabilities have been identified in Cisco’s Identity Services Engine (ISE). These vulnerabilities can enable attackers to execute arbitrary commands with root privileges and bypass authorization mechanisms, potentially compromising the security and integrity of network access controls. Continue reading this Cybersecurity Threat Advisory to keep your environment safe.
What is the threat?
CVE-2025-20124 has a CVSS score of 9.9, a critical vulnerability in Cisco ISE due to insecure deserialization of user-supplied Java byte streams. An attacker with authenticated access can exploit this flaw by sending crafted serialized Java objects to an affected API, leading to arbitrary command execution with elevated privileges.
CVE-2025-20125 arises from improper validation of user-supplied data and a lack of authorization in a specific API. Authenticated attackers can exploit this by sending malicious HTTP requests, allowing them to obtain sensitive information, modify system configurations, and reload the device.
Why is it noteworthy?
Cisco ISE is used in enterprise environments for identity and access management, it is crucial to enforcing security policies across networks. Exploiting these vulnerabilities undermine the trust and security of these environments, exposing sensitive data and disrupting business operations. These types of vulnerabilities are often targeted by advanced threat actors in sophisticated attacks.
What is the exposure or risk?
Organizations using vulnerable versions of Cisco ISE are at risk. The vulnerable versions include 3.0-3.3. Exploitation of this vulnerability can lead to:
- Unauthorized command execution: Successful attacks can execute commands with root privileges, potentially leading to full system compromise.
- Configuration tampering: Any unauthorized modification of system configurations can weaken security postures and open avenues for further attacks, including lateral movement.
- Information disclosure: Access to sensitive information can facilitate data breaches and further exploitation.
What are the recommendations?
Barracuda recommends the following actions to protect your environment against this threat:
- Limit administrative access to trusted users and monitor for any unusual activity while implementing systems monitoring.
- Update Cisco ISE and ISE-PIC appliances to the following versions:
- Version 3.0 to any of the following updated versions below
- Version 3.1 to 3.1P10
- Version 3.2 to 3.2P7
- Version 3.3 to 3.3P4
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.bleepingcomputer.com/news/security/critical-cisco-ise-bug-can-let-attackers-run-commands-as-root/
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-multivuls-FTW9AOXF
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
