CVE-2025-20125

Critical

Published: 05 February 2025

Published

05 February 2025

Modified

28 March 2025

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H

EPSS Score 0.0212 84.3th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-20125 is a critical-severity Improper Authorization (CWE-285) vulnerability in Cisco Identity Services Engine. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 15.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations in the Cisco ISE API to prevent read-only credential holders from obtaining sensitive information, changing configurations, or restarting the node.

SI-10 Information Input Validation good match

prevent

Validates user-supplied data in crafted HTTP requests to the affected API, mitigating improper input validation that enables exploitation.

AC-6 Least Privilege partial match

prevent

Restricts read-only administrative credentials to only necessary view operations, reducing the impact of authorization bypasses allowing configuration changes and node restarts.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1529 System Shutdown/Reboot Impact

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

API authorization bypass enables remote exploitation of public-facing service (T1190) for privilege escalation (T1068), sensitive data access (T1005), and node reboot (T1529).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability in an API of Cisco ISE could allow an authenticated, remote attacker with valid read-only credentials to obtain sensitive information, change node configurations, and restart the node. This vulnerability is due to a lack of authorization in a…

specific API and improper validation of user-supplied data. An attacker could exploit this vulnerability by sending a crafted HTTP request to a specific API on the device. A successful exploit could allow the attacker to attacker to obtain information, modify system configuration, and reload the device. Note: To successfully exploit this vulnerability, the attacker must have valid read-only administrative credentials. In a single-node deployment, new devices will not be able to authenticate during the reload time.

Deeper analysisAI

CVE-2025-20125 is a vulnerability in an API of Cisco Identity Services Engine (ISE) that could allow an authenticated, remote attacker with valid read-only credentials to obtain sensitive information, change node configurations, and restart the node. The flaw arises from a lack of authorization in a specific API combined with improper validation of user-supplied data, mapped to CWE-285 and CWE-862. It carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H).

An attacker with valid read-only administrative credentials can exploit the vulnerability remotely by sending a crafted HTTP request to the affected API on the ISE device. Successful exploitation allows the attacker to obtain sensitive information, modify system configurations, and reload the device. In single-node deployments, new devices will not be able to authenticate during the reload period.

Mitigation details are available in the Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-multivuls-FTW9AOXF.

Details

CWE(s): CWE-285 CWE-862

Affected Products

cisco

identity services engine

3.1.0, 3.2.0, 3.3.0 · ≤ 3.1

CVEs Like This One

CVE-2025-20124Same product: Cisco Identity Services Engine

CVE-2025-20343Same product: Cisco Identity Services Engine

CVE-2025-20337Same product: Cisco Identity Services Engine

CVE-2025-20362Same vendor: Cisco

CVE-2025-20333Same vendor: Cisco

CVE-2025-20354Same vendor: Cisco

CVE-2025-20274Same vendor: Cisco

CVE-2026-20098Same vendor: Cisco

CVE-2026-20129Same vendor: Cisco

CVE-2025-20156Same vendor: Cisco

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-multivuls-FTW9AOXF
Vendor Advisory · psirt@cisco.com