Cisco Identity Services Engine, unauthenticated remote code execution
A vulnerability in a specific API of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this by submitting a crafted API request, and a successful exploit grants the attacker root privileges on the affected device.
Overview
CVE-2025-20337 is a maximum-severity (CVSS 10.0) vulnerability affecting Cisco Identity Services Engine (ISE) and the Cisco ISE Passive Identity Connector (ISE-PIC), the network access control and identity platform widely deployed in enterprise environments. The flaw allows an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system with root privileges, resulting in complete compromise of the appliance. Cisco published the advisory on July 16, 2025, and later confirmed attempted exploitation in the wild. CISA added the CVE to its Known Exploited Vulnerabilities catalog on July 28, 2025.
Technical Details
The root cause is insufficient validation of user-supplied input within a specific API exposed by ISE and ISE-PIC. An attacker who sends a crafted API request can bypass intended input handling and inject content that is processed by a downstream component, leading to arbitrary code execution. No authentication and no user interaction are required, and the scope is changed (S:C) because code runs as root on the host operating system rather than within the constrained application context. The vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, and the weakness is classified as CWE-74 (improper neutralization of special elements in output used by a downstream component).
Impact
- Full remote takeover of the ISE/ISE-PIC appliance as root.
- Compromise of network access control policy, enabling unauthorized network admission.
- Theft or tampering of stored credentials, certificates, and configuration.
- Use of the appliance as a pivot point into the broader enterprise network.
Mitigation
- Upgrade Cisco ISE/ISE-PIC 3.3 to Release 3.3 Patch 7 or later.
- Upgrade Cisco ISE/ISE-PIC 3.4 to Release 3.4 Patch 2 or later (devices already on 3.4 Patch 2 require no action).
- Do not rely on the earlier hot patches (ise-applyCSCwo99449_3.3.0.430_patch4-SPA and ise-apply-CSCwo99449_3.4.0.608_patch1-SPA); they do not remediate this CVE. Move to the full patched releases above.
- ISE releases 3.2 and earlier are not affected.
Detection
Review ISE administrative and API access logs for unexpected or malformed requests to the affected API and for unauthorized configuration changes or new administrative accounts. Inspect the appliance for unexpected processes running as root and for unrecognized files. Monitor for outbound connections from the ISE management interface to unknown hosts. CISA added CVE-2025-20337 to the Known Exploited Vulnerabilities catalog on July 28, 2025; federal agencies were directed to remediate by August 18, 2025.