CVE-2025-20281

What is Cisco Identity Services Engine?

Cisco Identity Services Engine (ISE) is the core network access control (NAC) and policy management platform used by enterprises to enforce who, what, and how devices connect to corporate networks. ISE authenticates users and devices, enforces security policies (posture checks, device profiling), and integrates with Active Directory, LDAP, and PKI. Because ISE controls network access decisions across the entire enterprise — including VPN, Wi-Fi, wired, and cloud access — compromising it gives an attacker the ability to bypass network access controls, create rogue authentication profiles, and gain unrestricted network access. ISE is deployed in some of the world's most security-sensitive environments including government agencies and defense contractors.

Overview

CVE-2025-20281 is one of three vulnerabilities disclosed simultaneously in Cisco ISE advisory cisco-sa-ise-unauth-rce-ZAd2GnJ6, alongside CVE-2025-20337 and CVE-2025-20282. It is a CVSS 10.0 injection vulnerability (CWE-74) in a specific ISE API. An unauthenticated remote attacker can send a crafted API request to inject OS commands, achieving root remote code execution on the ISE appliance. CVE-2025-20281 and CVE-2025-20337 target different API endpoints but are the same class of vulnerability; CVE-2025-20282 (file upload to privileged directories) completes the trio. Cisco confirmed attempted exploitation in the wild before CISA added both injection CVEs to the KEV catalog.

Affected Versions

Technical Details

The vulnerability (CWE-74: Injection) is in a specific ISE REST API endpoint. Insufficient validation of user-supplied input in the API allows an unauthenticated attacker to craft a request whose parameters are interpreted as OS commands by the underlying system. Exploitation achieves root-level code execution on the ISE appliance. Cisco deliberately does not disclose the specific API endpoint name in the advisory to reduce immediate exploitation risk, but both CVE-2025-20281 and CVE-2025-20337 represent distinct injection points within the ISE API surface — both requiring no authentication and both achieving root RCE.

CVE-2025-20282 (the third CVE in the same advisory) is a related file upload vulnerability in ISE 3.4 that allows uploading files to privileged directories without authentication.

Discovery

Discovered by Bobby Gould of Trend Micro Zero Day Initiative, who reported CVE-2025-20281 to Cisco through the ZDI coordinated disclosure program.

Exploitation Context

Cisco PSIRT confirmed attempted exploitation of CVE-2025-20281 (and companion CVE-2025-20337) in the wild in July 2025. CISA added both CVEs to the KEV catalog on 28 July 2025 with a 21-day federal remediation deadline. ISE is a high-value target: full ISE compromise enables an attacker to create rogue device profiles, bypass network access controls, and extract the ISE's entire identity and policy database — including RADIUS shared secrets, PKI certificates, and integrated Active Directory credentials.

Remediation

1. Apply ISE 3.3 Patch 7 or ISE 3.4 Patch 2 immediately — download from Cisco Software Center.
2. Also address CVE-2025-20337 and CVE-2025-20282 — all three are patched in the same ISE patch releases.
3. Restrict ISE API access: apply ACLs or firewall rules to limit network access to the ISE admin and API interfaces to trusted administrative subnets only.
4. Review ISE audit logs for unexpected API calls from external or unknown IP addresses.
5. Validate ISE policy integrity: if compromise is suspected, review all authentication policies, device profiles, and RADIUS configurations for unauthorized modifications.