Cisco patches two critical Identity Services Engine flaws

Cisco has fixed two critical vulnerabilities in its Identity Services Engine (ISE) that could allow an authenticated remote attacker to execute arbitrary commands as root or access sensitive information, modify configurations, and reload affected devices.

As if requiring authentication wasn't a hurdle enough: Exploiting either of these 9.9 and 9.1-out-of-10-severity-rated bugs requires valid read-only administrative credentials. 

But assuming a miscreant can steal or buy these admin logins, they can essentially fully and quietly take over your equipment even after you think you've managed to keep them out. It's worth noting that NCC Group blamed last year's surge in ransomware attacks partly on compromised credentials, so it's not like these are too difficult to obtain. Rogue insiders can also abuse these holes, of course.

Both bugs affect Cisco ISE and Cisco ISE Passive Identity Connector (ISE-PIC) versions 3.0 to 3.3, regardless of device configuration, and both have patches available to apply. Version 3.4 is not vulnerable to either flaw; folks using earlier affected versions are advised to upgrade to a fixed release as detailed in the advisory. 

Cisco also issued instructions on upgrading a device, which can be viewed in its Upgrade Guides documentation located on the Cisco Identity Services Engine support page.

As of now, the networking vendor isn't aware of any in-the-wild exploits. Here are the details on both.

The first flaw, CVE-2025-20124, stems from the insecure deserialization of user-supplied Java byte streams in Cisco ISE, which is network access control software that enforces security policies and manages endpoints across enterprises' IT environments.

The flaw exists in an API of Cisco ISE, and an attacker could exploit it by sending a crafted serialized Java object to an affected API. "A successful exploit could allow the attacker to execute arbitrary commands on the device and elevate privileges," the networking giant warned in its security advisory.

Cisco credited Deloitte's Dan Marin and Sebastian Radulea with spotting and reporting this vulnerability.

• Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug in Meeting Management
• Google patches odd Android kernel security bug amid signs of targeted exploitation
• VMware plugs steal-my-credentials holes in Cloud Foundation
• Apple plugs security hole in its iThings that's already been exploited in iOS

The second bug, an authorization bypass vulnerability tracked as CVE-2025-20125, was also disclosed by Radulea.

"A vulnerability in an API of Cisco ISE could allow an authenticated, remote attacker with valid read-only credentials to obtain sensitive information, change node configurations, and restart the node," Cisco warned. 

This flaw is due to a specific API not performing authorization checks or properly validating user-supplied data, and can be triggered by sending an HTTP request to the API on the device.

Cisco also notes that the vulnerabilities are not dependent on each other, so exploiting one of the two isn't necessary to exploit the other.  

"In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerability," the advisory added.

Both of these critical security holes follow an earlier 9.9-rated vulnerability in Cisco's Meeting Management tool that could allow a remote authenticated attacker with low privileges to escalate to administrator on affected devices. Cisco patched that flaw a couple of weeks ago. ®