Cisco Confirms Active Exploits Targeting ISE Flaws Enabling Unauthenticated Root Access

Cisco on Monday updated its advisory of a set of recently disclosed security flaws in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) to acknowledge active exploitation. "In July 2025, the Cisco PSIRT [Product Security Incident Response Team], became aware of attempted exploitation of some of these vulnerabilities in the wild," the company said in an alert. The network equipment vendor did not disclose which vulnerabilities have been weaponized in real-world attacks, the identity of the threat actors exploiting them, or the scale of the activity. Cisco ISE plays a central role in network access control, managing which users and devices are allowed onto corporate networks and under what conditions. A compromise at this layer could give attackers unrestricted access to internal systems, bypassing authentication controls and logging mechanisms—turning a policy engine into an open door. The vulnerabilities outlined in the alert are all critical-rated bugs (CVSS scores: 10.0) that could allow an unauthenticated, remote attacker to issue commands on the underlying operating system as the root user – CVE-2025-20281 andCVE-2025-20337 – Multiple vulnerabilities in a specific API that could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root CVE-2025-20282 – A vulnerability in an internal API that could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device and…Read More