Cyber Resilience

CVE-2025-20281

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 25 June 2025

Published
25 June 2025
Modified
28 October 2025
KEV Added
28 July 2025
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.3348 97.0th percentile
Risk Priority 60 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-20281 is a critical-severity Injection (CWE-74) vulnerability in Cisco Identity Services Engine. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 3.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC allows unauthenticated remote attackers to execute arbitrary code as root on the underlying operating system. The flaw stems from insufficient validation of user-supplied input and is tracked as CWE-74 with a CVSS score of 10.0.

An attacker can exploit the issue by submitting a crafted API request without any credentials, resulting in full root-level compromise of an affected device. The attack requires no user interaction and can be carried out remotely over the network.

The Cisco Security Advisory cisco-sa-ise-unauth-rce-ZAd2GnJ6 and CISA's Known Exploited Vulnerabilities catalog both address the issue, confirming active exploitation in the wild. The associated EPSS score has reached a peak of 0.3603 with a current value of 0.3348.

EU & UK References

Vulnerability details

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this…

more

vulnerability. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device.

CWE(s)
KEV Date Added
28 July 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

cisco
identity services engine
3.3.0, 3.4.0
cisco
identity services engine passive identity connector
3.3.0, 3.4.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all user-supplied input to the API, eliminating the root cause (insufficient input validation) that permits crafted requests to execute arbitrary code.

prevent

Enforces that the exposed API cannot be invoked without successful identification and authorization, blocking the unauthenticated remote attack path.

prevent

Restricts network reachability to management APIs from untrusted zones, reducing the attack surface for unauthenticated crafted requests.

References