CVE-2025-20337

What is Cisco Identity Services Engine?

Cisco Identity Services Engine (ISE) is the core network access control (NAC) and policy management platform used by enterprises to enforce who, what, and how devices connect to corporate networks. ISE authenticates users and devices, enforces security policies, and integrates with Active Directory, LDAP, and PKI infrastructure. Compromising ISE gives an attacker the ability to bypass network access controls, extract credential stores, and gain unrestricted network access across the enterprise. See also CVE-2025-20281, the companion injection vulnerability in the same advisory.

Overview

CVE-2025-20337 is the second of two CVSS 10.0 injection vulnerabilities (CWE-74) in Cisco ISE disclosed in advisory cisco-sa-ise-unauth-rce-ZAd2GnJ6, alongside CVE-2025-20281 and CVE-2025-20282. Like CVE-2025-20281, it allows an unauthenticated remote attacker to send a crafted API request injecting OS commands for root remote code execution — but via a distinct API endpoint. Both injection CVEs affect only ISE 3.3 and 3.4; earlier versions are not vulnerable. CISA added both to the KEV catalog simultaneously on July 28, 2025, confirming attempted exploitation.

Affected Versions

Technical Details

The vulnerability (CWE-74: Injection) is in a specific ISE REST API endpoint, distinct from the endpoint affected by CVE-2025-20281. Insufficient validation of user-supplied API request parameters allows injection of OS commands, achieving root-level code execution without authentication. Cisco deliberately withholds the specific endpoint name from the public advisory. The identical CVSS 10.0 score and impact as CVE-2025-20281 reflects that both flaws are equally severe and directly exploitable without authentication or any user interaction.

Discovery

Discovered by Kentaro Kawane of GMO Cybersecurity by Ierae (Japan), who also discovered the companion CVE-2025-20282 (file upload vulnerability).

Exploitation Context

Cisco PSIRT confirmed attempted exploitation of CVE-2025-20337 (and companion CVE-2025-20281) in the wild in July 2025. CISA added both to the KEV catalog on 28 July 2025 with a 21-day federal deadline. The simultaneous disclosure of two distinct unauthenticated RCE paths (CVE-2025-20281 and CVE-2025-20337) in the same ISE release indicates a systematic lack of input validation across the ISE API surface in versions 3.3 and 3.4.

Remediation

1. Apply ISE 3.3 Patch 7 or ISE 3.4 Patch 2 immediately — patches address CVE-2025-20281, CVE-2025-20282, and CVE-2025-20337 together.
2. Restrict ISE API network access to trusted administrative subnets — block external access to ISE admin and REST API interfaces at the perimeter firewall.
3. Also see CVE-2025-20281 — both injection CVEs must be patched; neither is more critical than the other.
4. Review ISE audit logs for unexpected API calls and validate all ISE policies for unauthorized changes.