Cyber Resilience

CVE-2025-20125

Critical

Published: 05 February 2025

Published
05 February 2025
Modified
28 March 2025
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H
EPSS Score 0.0212 84.5th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-20125 is a critical-severity Improper Authorization (CWE-285) vulnerability in Cisco Identity Services Engine. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 15.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

A vulnerability in a specific API of Cisco Identity Services Engine (ISE) stems from missing authorization checks combined with insufficient validation of user-supplied input. The flaw permits an authenticated remote attacker who possesses valid read-only administrative credentials to retrieve sensitive data, alter node configurations, and trigger a node reload through a crafted HTTP request. The issue is tracked under CVE-2025-20125 with a CVSS 3.1 score of 9.1 and is associated with CWE-285 and CWE-862.

An attacker with read-only credentials can send the malicious request to the exposed API endpoint and thereby obtain information, modify system settings, and force a device reload. In single-node deployments the reload window prevents new authentications, amplifying operational impact. No unauthenticated exploitation path exists; valid low-privilege credentials are required.

The official Cisco Security Advisory cisco-sa-ise-multivuls-FTW9AOXF provides further details and remediation guidance. The EPSS score remains flat at 0.0212 with no observed rise after disclosure.

EU & UK References

Vulnerability details

A vulnerability in an API of Cisco ISE could allow an authenticated, remote attacker with valid read-only credentials to obtain sensitive information, change node configurations, and restart the node. This vulnerability is due to a lack of authorization in a…

more

specific API and improper validation of user-supplied data. An attacker could exploit this vulnerability by sending a crafted HTTP request to a specific API on the device. A successful exploit could allow the attacker to attacker to obtain information, modify system configuration, and reload the device. Note: To successfully exploit this vulnerability, the attacker must have valid read-only administrative credentials. In a single-node deployment, new devices will not be able to authenticate during the reload time.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1529 System Shutdown/Reboot Impact
Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

API authorization bypass enables remote exploitation of public-facing service (T1190) for privilege escalation (T1068), sensitive data access (T1005), and node reboot (T1529).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-20124Same product: Cisco Identity Services Engine
CVE-2025-20343Same product: Cisco Identity Services Engine
CVE-2025-20337Same product: Cisco Identity Services Engine
CVE-2025-20362Same vendor: Cisco
CVE-2025-20354Same vendor: Cisco
CVE-2025-20333Same vendor: Cisco
CVE-2026-5944Same vendor: Cisco
CVE-2025-20274Same vendor: Cisco
CVE-2026-20098Same vendor: Cisco
CVE-2026-20122Same vendor: Cisco

Affected Assets

cisco
identity services engine
3.1.0, 3.2.0, 3.3.0 · ≤ 3.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations in the Cisco ISE API to prevent read-only credential holders from obtaining sensitive information, changing configurations, or restarting the node.

prevent

Validates user-supplied data in crafted HTTP requests to the affected API, mitigating improper input validation that enables exploitation.

prevent

Restricts read-only administrative credentials to only necessary view operations, reducing the impact of authorization bypasses allowing configuration changes and node restarts.

References