Cyber Resilience

CVE-2025-20337

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 16 July 2025

Published
16 July 2025
Modified
28 October 2025
KEV Added
28 July 2025
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0135 80.5th percentile
Risk Priority 41 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-20337 is a critical-severity Injection (CWE-74) vulnerability in Cisco Identity Services Engine. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC allows an unauthenticated remote attacker to execute arbitrary code as root on the underlying operating system. The flaw stems from insufficient validation of user-supplied input and carries a CVSS score of 10.0.

An attacker can exploit the issue by submitting a crafted API request without any credentials, achieving full root-level control over an affected device. The attack requires no user interaction and can be launched over the network.

The Cisco Security Advisory cisco-sa-ise-unauth-rce-ZAd2GnJ6 and the CISA Known Exploited Vulnerabilities catalog both address the issue, confirming active exploitation in the wild. The associated EPSS score has remained flat at 0.0135 with no material increase since disclosure.

EU & UK References

Vulnerability details

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this…

more

vulnerability. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device.

CWE(s)
KEV Date Added
28 July 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct unauthenticated RCE on public-facing Cisco ISE API with root privileges via crafted input (CWE-74).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-20127Same vendor: Ciscoboth on KEV
CVE-2026-20131Same vendor: Ciscoboth on KEV
CVE-2025-20393Same vendor: Ciscoboth on KEV
CVE-2026-20128Same vendor: Ciscoboth on KEV
CVE-2026-20045Same vendor: Ciscoboth on KEV
CVE-2025-20352Same vendor: Ciscoboth on KEV
CVE-2025-20362Same vendor: Ciscoboth on KEV
CVE-2025-20333Same vendor: Ciscoboth on KEV
CVE-2025-20265Same vendor: Cisco
CVE-2025-20124Same product: Cisco Identity Services Engine

Affected Assets

cisco
identity services engine
3.3.0, 3.4.0
cisco
identity services engine passive identity connector
3.3.0, 3.4.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and patching of the specific flaw causing insufficient input validation in the Cisco ISE API, preventing arbitrary code execution.

prevent

Directly enforces comprehensive input validation mechanisms at API entry points to block crafted requests leading to root-level RCE.

prevent

Mandates regular vulnerability scanning to detect this critical CVE in Cisco ISE, enabling prompt flaw remediation before exploitation.

References