Cisco has revealed a new maximum security vulnerability affecting the Identity Services Engine (ISE) and the Cisco ISE Passive Identity Connector (ISE-PIC).
This drawback, tracked as CVE-2025-20337, is similar to CVE-2025-20281, which has a CVSS score of 10.0 and was patched by the Networking Equipment Major later last month.
“Several vulnerabilities in certain APIs in Cisco ISE and Cisco ISE-PIC allow unrecognized remote attackers to run arbitrary code on the underlying operating system as root. The attackers do not require valid credentials to enable these vulnerabilities.
“These vulnerabilities are due to insufficient user validation of inputs that are supported. Attackers can exploit these vulnerabilities by sending created API requests. A successful exploit allows the attacker to gain root privileges on the affected device.”
Kentaro Kawane of GMO Cybersecurity is believed to have discovered and reported the flaws. Kawane was previously recognized for two other significant Cisco ISE flaws (CVE-2025-20286 and CVE-2025-20282) and another important bug in Fortinet Fortiweb (CVE-2025-25257).
CVE-2025-20337 affects ISE and ISE-PIC releases 3.3 and 3.4 regardless of device configuration. It does not affect ISE and ISE-PIC releases prior to release 3.2. This issue has been patched in the following versions –
Cisco ISE or ISE-PIC Release 3.3 (fixed with 3.3 patch 7) Cisco ISE or ISE-PIC Release 3.4 (fixed with 3.4 patch 2)
There is no evidence that the vulnerability was exploited in a malicious context. That said, ensuring that your system is kept up to date to avoid potential threats is always a good practice.
The Shadowserver Foundation reported that since July 11, 2025, it is likely that threat targets are exploiting publicly released exploits related to CVE-2025-25257.
As of July 15th, it is estimated that there will be 77 infection instances, down from 85 the previous day. Most of the compromises are concentrated in North America (44), Asia (14), and Europe (13).
Data from the Attack Surface Management Platform data indicates that 20,098 Fortinet FortiWeb appliances, excluding Honeypots, are online, but it is currently unclear whether many of these are vulnerable to CVE-2025-25257.
“This flaw allows uncertified attackers to execute arbitrary SQL commands via created HTTP requests, leading to remote code execution (RCE),” Censys said.
Source link
