Critical Unauthenticated RCE Flaws Patched in Cisco ISE and ISE-PIC
Cisco disclosed two critical vulnerabilities in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that allow unauthenticated remote attackers to execute arbitrary code on the underlying operating system with root privileges. The flaws, tracked as CVE-2025-20281 and CVE-2025-20282, are independent issues, meaning exploitation of one is not required to exploit the other.
CVE-2025-20281 affects Cisco ISE and ISE-PIC version 3.3 and later, while CVE-2025-20282 affects version 3.4 only; Cisco said version 3.2 and earlier are not affected. Cisco also warned that CVE-2025-20282 can enable arbitrary file upload and execution on vulnerable devices. Patches have been released, and organizations running affected deployments have been urged to update immediately.
Timeline
Jun 26, 2025
Cisco releases patches for affected ISE and ISE-PIC versions
Cisco released fixes for the vulnerabilities and advised organizations to update immediately. CVE-2025-20281 affects ISE and ISE-PIC versions 3.3 and later, while CVE-2025-20282 affects version 3.4; version 3.2 and earlier are not affected.
Jun 26, 2025
Cisco discloses critical RCE flaws in ISE and ISE-PIC
Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) were found to contain two critical vulnerabilities, CVE-2025-20281 and CVE-2025-20282. The flaws allow unauthenticated remote code execution as root, with CVE-2025-20282 also enabling arbitrary file upload and execution on affected devices.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Critical Cisco ISE Flaws Enable Authenticated RCE and File Exposure
Cisco disclosed two vulnerabilities in **Identity Services Engine (ISE)** and **ISE Passive Identity Connector (ISE-PIC)** that can allow authenticated attackers to execute malicious code and access sensitive files. The most severe flaw, **`CVE-2026-20147`** with a **CVSS 9.9**, is an authenticated remote code execution issue that can provide user-level operating system access and may be escalated to **root**. A second flaw, **`CVE-2026-20148`** with a **CVSS 4.9**, is an authenticated path traversal vulnerability that can expose files from the underlying operating system.
1 weeks ago
Cisco ISE Flaws Enable Authenticated Remote Code Execution and Root Escalation
Cisco disclosed two high-severity vulnerabilities in **Cisco Identity Services Engine (ISE)**, tracked as `CVE-2026-20180` and `CVE-2026-20186`, that allow an authenticated attacker to execute arbitrary commands on the underlying operating system by sending crafted HTTP requests. Both issues require at least **Read Only Admin** credentials and stem from insufficient validation of user-supplied input; Cisco mapped the flaws to **`CWE-22`** and **`CWE-77`** respectively. Cisco assigned both vulnerabilities the same **CVSS v3.1** score vector: `AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H`. Successful exploitation can provide user-level operating system access and may allow attackers to escalate privileges to **root**. Cisco warned that in **single-node ISE deployments**, exploitation could also make the affected node unavailable, creating a denial-of-service condition that prevents unauthenticated endpoints from accessing the network until the system is restored.
2 weeks ago
Cisco Identity Services Engine XML External Entity Vulnerability
Cisco has disclosed and patched a vulnerability (CVE-2026-20029) in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that allows authenticated attackers with administrative privileges to exploit improper XML parsing in the web-based management interface. By uploading a malicious file, an attacker could read arbitrary files from the underlying operating system, potentially accessing sensitive data that should not be available even to administrators. Cisco has confirmed that there is public proof-of-concept exploit code available, though there is no evidence of active exploitation at this time. The company strongly recommends upgrading to the fixed software versions, as no workarounds are available and mitigations are only temporary. The vulnerability affects all versions of Cisco ISE and ISE-PIC prior to the fixed releases, with specific patches available for versions 3.2, 3.3, and 3.4, while version 3.5 is not vulnerable. Cisco emphasizes the importance of prompt patching to prevent potential exploitation, especially given the availability of exploit code. The flaw is rated with a CVSS base score of 4.9 and is due to improper XML external entity processing (CWE-611).
1 months ago