Active Exploitation of Cisco ISE Zero-Day Vulnerability for Remote Code Execution
Hackers exploited a zero-day vulnerability in Cisco's Identity Services Engine (ISE), tracked as CVE-2025-20337, which allowed for pre-authentication remote code execution and administrator-level access to affected systems. Amazon Web Services researchers detected the campaign using their MadPot honeypot, observing that attackers deployed custom web shells disguised as legitimate Cisco ISE components, specifically IdentityAuditAction, and used Java APIs to inject themselves into running threads and monitor HTTP requests on Tomcat servers. The vulnerability, rated with a maximum CVSS score of 10, was actively exploited in the wild before Cisco had assigned a CVE or released comprehensive patches for all affected ISE branches.
Cisco released a patch for the flaw in July after confirming in-the-wild exploitation, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) subsequently added CVE-2025-20337 to its Known Exploited Vulnerabilities catalog. AWS CISO CJ Moses highlighted that the attackers' use of "patch-gap exploitation"—targeting systems before official disclosure and patch availability—demonstrates the sophistication of threat actors who rapidly weaponize newly discovered vulnerabilities. Organizations using Cisco ISE are urged to ensure patches are applied and to monitor for signs of compromise, particularly the presence of suspicious web shells or unauthorized HTTP listeners.
Timeline
Nov 13, 2025
Reports emerge of hackers exploiting a Cisco ISE zero-day
BankInfoSecurity and GovInfoSecurity reported that attackers exploited a zero-day vulnerability affecting Cisco Identity Services Engine (ISE). No additional technical details, victim information, or remediation timeline were provided in the references.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
Related Stories
Amazon Identifies APT Exploiting Zero-Day Flaws in Cisco ISE and Citrix NetScaler
Amazon's threat intelligence team uncovered an advanced persistent threat (APT) actor actively exploiting two previously unknown zero-day vulnerabilities in Cisco Identity Services Engine (ISE) and Citrix NetScaler ADC. The vulnerabilities, tracked as CVE-2025-5777 (Citrix Bleed 2) and CVE-2025-20337, allowed attackers to bypass authentication on Citrix NetScaler and achieve unauthenticated remote code execution on Cisco ISE, respectively. Amazon's MadPot honeypot network detected exploitation attempts before public disclosure, and further investigation revealed the deployment of a custom web shell disguised as a legitimate Cisco ISE component, enabling persistent access for the attackers. Both vulnerabilities were exploited in the wild before patches were available, highlighting the attackers' sophistication and their focus on critical identity and network access infrastructure. The campaign demonstrated the threat actors' ability to quickly weaponize vulnerabilities and exploit patch gaps, with Amazon sharing technical details and indicators of compromise with Cisco to aid in remediation. The custom malware used in these attacks was specifically tailored for Cisco ISE environments, and the exploitation activity underscores the increasing targeting of systems that enforce enterprise security policies and manage authentication. Both Cisco and Citrix have since released patches to address the vulnerabilities, but the incident serves as a warning about the risks posed by zero-day exploitation of core network and identity management platforms.
1 months ago
Cisco ISE Flaws Enable Authenticated Remote Code Execution and Root Escalation
Cisco disclosed two high-severity vulnerabilities in **Cisco Identity Services Engine (ISE)**, tracked as `CVE-2026-20180` and `CVE-2026-20186`, that allow an authenticated attacker to execute arbitrary commands on the underlying operating system by sending crafted HTTP requests. Both issues require at least **Read Only Admin** credentials and stem from insufficient validation of user-supplied input; Cisco mapped the flaws to **`CWE-22`** and **`CWE-77`** respectively. Cisco assigned both vulnerabilities the same **CVSS v3.1** score vector: `AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H`. Successful exploitation can provide user-level operating system access and may allow attackers to escalate privileges to **root**. Cisco warned that in **single-node ISE deployments**, exploitation could also make the affected node unavailable, creating a denial-of-service condition that prevents unauthenticated endpoints from accessing the network until the system is restored.
2 weeks ago
Critical Unauthenticated RCE Flaws Patched in Cisco ISE and ISE-PIC
Cisco disclosed two critical vulnerabilities in **Identity Services Engine (ISE)** and **ISE Passive Identity Connector (ISE-PIC)** that allow unauthenticated remote attackers to execute arbitrary code on the underlying operating system with **root privileges**. The flaws, tracked as `CVE-2025-20281` and `CVE-2025-20282`, are independent issues, meaning exploitation of one is not required to exploit the other. `CVE-2025-20281` affects Cisco ISE and ISE-PIC **version 3.3 and later**, while `CVE-2025-20282` affects **version 3.4 only**; Cisco said **version 3.2 and earlier are not affected**. Cisco also warned that `CVE-2025-20282` can enable arbitrary file upload and execution on vulnerable devices. Patches have been released, and organizations running affected deployments have been urged to update immediately.
1 weeks ago