A security researcher has published a blog post demonstrating a complete exploit chain for CVE-2025-20281, a critical unauthenticated remote code execution vulnerability in Cisco Identity Services Engine (ISE). This vulnerability allows unauthenticated, remote attackers to upload arbitrary files to the target system and execute them with root privileges. The issue stems from unsafe deserialization and command injection in the enableStrongSwanTunnel() method. Although hotfixes were made available, Cisco urged users to update to 3.3 Patch 7 and 3.4 Patch 2 to address both vulnerabilities. On July 22, 2025, Cisco marked both CVE-2025-20281 and CVE-2025-20337 as actively exploited in attacks, urging admins to apply the security updates as soon as possible.
TPRM report: https://scoringcyber.rankiteo.com/company/cisco
"id": "cis905072925",
"linkid": "cisco",
"type": "Vulnerability",
"date": "7/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Technology',
'name': 'Cisco',
'type': 'Vendor'}],
'attack_vector': 'Unauthenticated remote attack',
'date_detected': '2025-06-25',
'date_publicly_disclosed': '2025-06-25',
'date_resolved': '2025-07-22',
'description': 'Security researcher Bobby Gould has published a blog post '
'demonstrating a complete exploit chain for CVE-2025-20281, an '
'unauthenticated remote code execution vulnerability in Cisco '
'Identity Services Engine (ISE). The critical vulnerability '
'was first disclosed on June 25, 2025, with Cisco warning that '
'it impacts ISE and ISE-PIC versions 3.3 and 3.4, allowing '
'unauthenticated, remote attackers to upload arbitrary files '
'to the target system and execute them with root privileges. '
'The issue stems from unsafe deserialization and command '
'injection in the enableStrongSwanTunnel() method. Three weeks '
'later, the vendor added one more flaw to the same bulletin, '
'CVE-2025-20337, which relates to the same flaw but is now '
'broken down into two parts, CVE-2025-20281 (command '
'injection) and CVE-2025-20337 (deserialization). Although '
'hotfixes were previously made available, Cisco urged users to '
'update to 3.3 Patch 7 and 3.4 Patch 2 to address both '
'vulnerabilities. On July 22, 2025, Cisco marked both '
'CVE-2025-20281 and CVE-2025-20337 as actively exploited in '
'attacks, urging admins to apply the security updates as soon '
'as possible.',
'impact': {'systems_affected': 'Cisco ISE and ISE-PIC versions 3.3 and 3.4'},
'post_incident_analysis': {'corrective_actions': 'Update to 3.3 Patch 7 and '
'3.4 Patch 2',
'root_causes': 'Unsafe deserialization and command '
'injection in the '
'enableStrongSwanTunnel() method.'},
'recommendations': "Apply the patches as directed in the vendor's bulletin.",
'references': [{'source': 'zerodayinitiative.com',
'url': 'https://www.zerodayinitiative.com'}],
'response': {'containment_measures': 'Apply security updates',
'remediation_measures': 'Update to 3.3 Patch 7 and 3.4 Patch 2'},
'title': 'Critical Vulnerabilities in Cisco Identity Services Engine (ISE)',
'type': 'Remote Code Execution',
'vulnerability_exploited': ['CVE-2025-20281', 'CVE-2025-20337']}