CVE-2025-20337
Published: 16 July 2025
Summary
CVE-2025-20337 is a critical-severity Injection (CWE-74) vulnerability in Cisco Identity Services Engine. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and patching of the specific flaw causing insufficient input validation in the Cisco ISE API, preventing arbitrary code execution.
Directly enforces comprehensive input validation mechanisms at API entry points to block crafted requests leading to root-level RCE.
Mandates regular vulnerability scanning to detect this critical CVE in Cisco ISE, enabling prompt flaw remediation before exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated RCE on public-facing Cisco ISE API with root privileges via crafted input (CWE-74).
NVD Description
A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this…
more
vulnerability. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device.
Deeper analysisAI
CVE-2025-20337 is a critical vulnerability in a specific API of Cisco Identity Services Engine (ISE) and Cisco ISE-PIC that enables an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system with root privileges. The issue stems from insufficient validation of user-supplied input, as identified under CWE-74. It carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating maximum severity due to its network accessibility, low complexity, and lack of prerequisites.
An unauthenticated, remote attacker can exploit this vulnerability by submitting a crafted API request without needing valid credentials. Successful exploitation grants root-level access to the affected device, potentially allowing full compromise, including data exfiltration, persistence, or further lateral movement within the network.
The Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6 provides details on affected versions and mitigation steps, such as applying patches. The vulnerability is also listed in the CISA Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-20337, indicating active exploitation in the wild and urging immediate remediation.
Security practitioners should prioritize patching affected Cisco ISE instances, as real-world exploitation has been observed per CISA's cataloging.
Details
- CWE(s)
- KEV Date Added
- 28 July 2025