Cyber Resilience

CVE-2025-20124

CriticalRCE

Published: 05 February 2025

Published
05 February 2025
Modified
28 March 2025
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H
EPSS Score 0.0951 93.0th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-20124 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Cisco Identity Services Engine. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

A vulnerability in an API of Cisco ISE allows an authenticated remote attacker to execute arbitrary commands as the root user on an affected device. The issue stems from insecure deserialization of user-supplied Java byte streams and is tracked as CWE-502. Successful exploitation requires valid read-only administrative credentials and yields command execution with privilege elevation on the appliance.

An attacker can exploit the flaw by submitting a crafted serialized Java object to the affected API. In single-node deployments the attack may briefly disrupt new device authentications during any resulting reload. The vulnerability carries a CVSS 3.1 score of 9.9, reflecting network-accessible attack complexity that is low once read-only administrative credentials are obtained.

The published Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-multivuls-FTW9AOXF provides official mitigation guidance and patch information. The associated EPSS score has remained flat at 0.0951 with no material post-disclosure increase observed.

EU & UK References

Vulnerability details

A vulnerability in an API of Cisco ISE could allow an authenticated, remote attacker to execute arbitrary commands as the root user on an affected device. This vulnerability is due to insecure deserialization of user-supplied Java byte streams by the…

more

affected software. An attacker could exploit this vulnerability by sending a crafted serialized Java object to an affected API. A successful exploit could allow the attacker to execute arbitrary commands on the device and elevate privileges. Note: To successfully exploit this vulnerability, the attacker must have valid read-only administrative credentials. In a single-node deployment, new devices will not be able to authenticate during the reload time.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Insecure deserialization in public-facing ISE API directly enables remote exploitation (T1190) for arbitrary command execution via Unix shell (T1059.004) with root privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-20125Same product: Cisco Identity Services Engine
CVE-2025-20343Same product: Cisco Identity Services Engine
CVE-2025-20337Same product: Cisco Identity Services Engine
CVE-2026-20131Same vendor: Cisco
CVE-2026-20098Same vendor: Cisco
CVE-2026-20045Same vendor: Cisco
CVE-2025-20184Same vendor: Cisco
CVE-2025-20354Same vendor: Cisco
CVE-2025-20333Same vendor: Cisco
CVE-2025-20265Same vendor: Cisco

Affected Assets

cisco
identity services engine
3.1.0, 3.2.0, 3.3.0 · ≤ 3.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2025-20124 by identifying, reporting, and correcting the insecure deserialization flaw in the Cisco ISE API.

prevent

Prevents exploitation of the vulnerability by validating user-supplied Java byte streams prior to deserialization in the affected API.

prevent

Implements memory protections that block arbitrary command execution resulting from deserialization gadgets in the Cisco ISE API.

References