CVE-2025-20125
Published: 05 February 2025
Summary
CVE-2025-20125 is a critical-severity Improper Authorization (CWE-285) vulnerability in Cisco Identity Services Engine. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 15.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
A vulnerability in a specific API of Cisco Identity Services Engine (ISE) stems from missing authorization checks combined with insufficient validation of user-supplied input. The flaw permits an authenticated remote attacker who possesses valid read-only administrative credentials to retrieve sensitive data, alter node configurations, and trigger a node reload through a crafted HTTP request. The issue is tracked under CVE-2025-20125 with a CVSS 3.1 score of 9.1 and is associated with CWE-285 and CWE-862.
An attacker with read-only credentials can send the malicious request to the exposed API endpoint and thereby obtain information, modify system settings, and force a device reload. In single-node deployments the reload window prevents new authentications, amplifying operational impact. No unauthenticated exploitation path exists; valid low-privilege credentials are required.
The official Cisco Security Advisory cisco-sa-ise-multivuls-FTW9AOXF provides further details and remediation guidance. The EPSS score remains flat at 0.0212 with no observed rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2153
Vulnerability details
A vulnerability in an API of Cisco ISE could allow an authenticated, remote attacker with valid read-only credentials to obtain sensitive information, change node configurations, and restart the node. This vulnerability is due to a lack of authorization in a…
more
specific API and improper validation of user-supplied data. An attacker could exploit this vulnerability by sending a crafted HTTP request to a specific API on the device. A successful exploit could allow the attacker to attacker to obtain information, modify system configuration, and reload the device. Note: To successfully exploit this vulnerability, the attacker must have valid read-only administrative credentials. In a single-node deployment, new devices will not be able to authenticate during the reload time.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
API authorization bypass enables remote exploitation of public-facing service (T1190) for privilege escalation (T1068), sensitive data access (T1005), and node reboot (T1529).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations in the Cisco ISE API to prevent read-only credential holders from obtaining sensitive information, changing configurations, or restarting the node.
Validates user-supplied data in crafted HTTP requests to the affected API, mitigating improper input validation that enables exploitation.
Restricts read-only administrative credentials to only necessary view operations, reducing the impact of authorization bypasses allowing configuration changes and node restarts.