Cisco has released an update to address two critical security flaws Identity Services Engine (ISE) that allow remote attackers to execute arbitrary commands on sensitive devices and increase privileges.
The vulnerabilities are listed below –
CVE-2025-20124 (CVSS score: 9.9) – An unstable Java Deserialization vulnerability in the Cisco ISE API that allows an authenticated remote attacker to execute arbitrary commands as the root user on an affected device. CVE-2025-20125 (CVSS score: 9.1) – Authentication bypass vulnerability in Cisco ISE APIs could allow authenticated remote attackers with valid read-only credentials.
An attacker can send a created serialized Java object or HTTP request to an unspecified API endpoint to weaponize either flaw, leading to privilege escalation and code execution.
Cisco said the two vulnerabilities are not dependent on each other and there is no workaround to mitigate them. It is addressed in the following versions –
Cisco ISE Software Release 3.0 (Moves to Fixed Release) Cisco ISE Software Release 3.1 (fixed with 3.1P10) Cisco ISE Software Release 3.2 (fixed with 3.2p7) Cisco ISE Software Release 3.3 (fixed with 3.3p4) Cisco co ISE Software Release 3.44 ( It’s not vulnerable)
Deloitte security researchers Dan Marin and Sebastian Ladurea are believed to have discovered and repaired the vulnerability.
Although the Networking Equipment Major said he is not aware of the malicious exploitation of the defect, users are advised to keep their systems up-to-date for optimal protection.
Source link
