CVE-2025-20124
Published: 05 February 2025
Summary
CVE-2025-20124 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Cisco Identity Services Engine. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
A vulnerability in an API of Cisco ISE allows an authenticated remote attacker to execute arbitrary commands as the root user on an affected device. The issue stems from insecure deserialization of user-supplied Java byte streams and is tracked as CWE-502. Successful exploitation requires valid read-only administrative credentials and yields command execution with privilege elevation on the appliance.
An attacker can exploit the flaw by submitting a crafted serialized Java object to the affected API. In single-node deployments the attack may briefly disrupt new device authentications during any resulting reload. The vulnerability carries a CVSS 3.1 score of 9.9, reflecting network-accessible attack complexity that is low once read-only administrative credentials are obtained.
The published Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-multivuls-FTW9AOXF provides official mitigation guidance and patch information. The associated EPSS score has remained flat at 0.0951 with no material post-disclosure increase observed.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2152
Vulnerability details
A vulnerability in an API of Cisco ISE could allow an authenticated, remote attacker to execute arbitrary commands as the root user on an affected device. This vulnerability is due to insecure deserialization of user-supplied Java byte streams by the…
more
affected software. An attacker could exploit this vulnerability by sending a crafted serialized Java object to an affected API. A successful exploit could allow the attacker to execute arbitrary commands on the device and elevate privileges. Note: To successfully exploit this vulnerability, the attacker must have valid read-only administrative credentials. In a single-node deployment, new devices will not be able to authenticate during the reload time.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Insecure deserialization in public-facing ISE API directly enables remote exploitation (T1190) for arbitrary command execution via Unix shell (T1059.004) with root privilege escalation (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2025-20124 by identifying, reporting, and correcting the insecure deserialization flaw in the Cisco ISE API.
Prevents exploitation of the vulnerability by validating user-supplied Java byte streams prior to deserialization in the affected API.
Implements memory protections that block arbitrary command execution resulting from deserialization gadgets in the Cisco ISE API.