A newly disclosed critical vulnerability in Cisco’s Identity Services Engine (ISE) has received the highest possible CVSS severity score—10 out of 10—raising urgent concerns for enterprise security teams.
The flaw, tracked as CVE-2025-20337, allows unauthenticated attackers to exploit ISE by submitting specially crafted API requests, enabling them to upload malicious files, execute arbitrary code, and even gain root-level privileges.
Discovered by Kentaro Kawane of GMO Cybersecurity by Ierae and reported via Trend Micro’s Zero Day Initiative (ZDI), the vulnerability stems from insufficient validation of user-supplied input—an oversight that exposes organizations to full system compromise if left unpatched.
“These vulnerabilities affect Cisco ISE and ISE-PIC releases 3.3 and 3.4, regardless of device configuration,” Cisco stated in its updated advisory.
This latest critical bug has been added to a previously disclosed bulletin that included CVE-2025-20281 and CVE-2025-20282, two additional remote code execution (RCE) vulnerabilities affecting the same software versions. All three can be exploited independently, posing severe risks to network infrastructure.
Cisco Urges Upgrades: Patches for Earlier Flaws Don’t Cover New Threat
Despite patches already being deployed for the earlier RCE vulnerabilities, Cisco has confirmed that those updates do not mitigate CVE-2025-20337.
To fully address the threat posed by all three critical bugs, Cisco instructs customers to upgrade to:
- ISE 3.3 Patch 7, or
- ISE 3.4 Patch 2
No alternative workarounds or mitigations are currently available. Cisco has also confirmed that ISE and ISE-PIC Release 3.2 or earlier are not affected.
While no in-the-wild exploitation has been detected yet, the scope and severity of these flaws necessitate immediate administrative action to prevent potential breaches.
Additional Cisco Vulnerabilities Disclosed With Medium to High Severity
Alongside the ISE vulnerabilities, Cisco issued four new advisories addressing additional security flaws:
- CVE-2025-20274 (High Severity): Arbitrary file upload in Cisco Unified Intelligence Center, including Unified CCX bundles. Requires Report Designer access. Fixed in 12.5(1) SU ES05 and 12.6(2) ES05.
- CVE-2025-20272 (Medium Severity): Blind SQL injection via REST APIs in Cisco Prime Infrastructure and EPNM. Exploitable by low-privileged users. Patched in Prime Infrastructure 3.10.6 SU2 and EPNM 8.0.1 / 8.1.1.
- CVE-2025-20283, CVE-2025-20284, CVE-2025-20285 (Medium Severity): Authenticated RCE and IP access restriction bypass in Cisco ISE and ISE-PIC. Resolved in 3.3 Patch 7 and 3.4 Patch 2.
- CVE-2025-20288 (Medium Severity): SSRF vulnerability in Cisco Unified Intelligence Center. Can be exploited without authentication. Affects 12.5 and 12.6, including Unified CCX. Fixed in 12.5(1) SU ES05 and 12.6(2) ES05.
None of the above vulnerabilities have workarounds. Cisco advises customers to assess their current infrastructure, confirm memory capacity, and validate system compatibility before upgrading.
