Cisco has disclosed a new maximum-severity security vulnerability impacting Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) that could permit an attacker to execute arbitrary code on the underlying operating system with elevated privileges. Tracked as CVE-2025-20337, the shortcoming carries a CVSS score of 10.0 and is similar to CVE-2025-20281, which was patched by the networking equipment major late last month. "Multiple vulnerabilities in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit these vulnerabilities," the company said in an updated advisory. "These vulnerabilities are due to insufficient validation of user-supplied input. An attacker could exploit these vulnerabilities by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device." Kentaro Kawane of GMO Cybersecurity has been credited with discovering and reporting the flaw. Kawane was previously acknowledged for two other critical Cisco ISE flaws (CVE-2025-20286 and CVE-2025-20282) and another critical bug in Fortinet FortiWeb (CVE-2025-25257) CVE-2025-20337 affects ISE and ISE-PIC releases 3.3 and 3.4, regardless of device configuration. It does not impact ISE and ISE-PIC release 3.2 or earlier. The issue has been patched in the…Read More