CVE-2025-20124
Published: 05 February 2025
Summary
CVE-2025-20124 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Cisco Identity Services Engine. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2025-20124 by identifying, reporting, and correcting the insecure deserialization flaw in the Cisco ISE API.
Prevents exploitation of the vulnerability by validating user-supplied Java byte streams prior to deserialization in the affected API.
Implements memory protections that block arbitrary command execution resulting from deserialization gadgets in the Cisco ISE API.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Insecure deserialization in public-facing ISE API directly enables remote exploitation (T1190) for arbitrary command execution via Unix shell (T1059.004) with root privilege escalation (T1068).
NVD Description
A vulnerability in an API of Cisco ISE could allow an authenticated, remote attacker to execute arbitrary commands as the root user on an affected device. This vulnerability is due to insecure deserialization of user-supplied Java byte streams by the…
more
affected software. An attacker could exploit this vulnerability by sending a crafted serialized Java object to an affected API. A successful exploit could allow the attacker to execute arbitrary commands on the device and elevate privileges. Note: To successfully exploit this vulnerability, the attacker must have valid read-only administrative credentials. In a single-node deployment, new devices will not be able to authenticate during the reload time.
Deeper analysisAI
CVE-2025-20124 is a critical vulnerability in an API of Cisco Identity Services Engine (ISE), caused by insecure deserialization of user-supplied Java byte streams in the affected software. This deserialization flaw allows an authenticated, remote attacker to execute arbitrary commands as the root user on impacted devices. The vulnerability carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H) and is associated with CWE-502 (Deserialization of Untrusted Data). It was published on 2025-02-05.
An attacker requires valid read-only administrative credentials to exploit the vulnerability remotely over the network with low complexity and no user interaction. By sending a crafted serialized Java object to the affected API, the attacker can achieve arbitrary command execution on the device and privilege escalation to root. In single-node ISE deployments, exploitation may disrupt authentication for new devices during reload periods.
Cisco has issued a security advisory addressing this and related vulnerabilities in ISE at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-multivuls-FTW9AOXF, which provides details on affected versions and recommended mitigation steps.
Details
- CWE(s)