A working exploit has now been released for CVE-2025-20281, a critical remote code execution vulnerability in Cisco’s Identity Services Engine (ISE), which Cisco confirmed is already being actively exploited. Security researcher Bobby Gould shared a full technical breakdown of the exploit chain, confirming how attackers can gain root access to the host system starting from an unauthenticated network position.
On June 25, 2025, Cisco disclosed the issue, warning that it impacts ISE and ISE-PIC versions 3.3 and 3.4. The flaw allows remote attackers to upload arbitrary files and execute them as root by abusing a vulnerable method named enableStrongSwanTunnel(), which combines unsafe deserialization with command injection.
Three weeks after the original disclosure, Cisco revised its security bulletin to split the flaw into two related vulnerabilities:
- CVE-2025-20281 — command injection
- CVE-2025-20337 — unsafe deserialization
Cisco made hotfixes available earlier and urged customers to upgrade to version 3.3 Patch 7 or 3.4 Patch 2 to fully mitigate both issues. On July 22, Cisco officially confirmed that both vulnerabilities were being actively exploited in the wild, increasing the urgency for administrators to patch immediately.
Bobby Gould’s write-up, published days later, shows how attackers can exploit the command injection vulnerability by sending a serialized Java String[] payload that reaches Java’s Runtime.exec() method. He uses ${IFS} to bypass argument tokenization issues and successfully executes commands as root inside a Docker container.
What makes this particularly severe is the second part of the exploit. Gould demonstrates how to escape the Docker container and gain root access on the host system using a known container breakout technique involving cgroups and the release_agent mechanism—a method previously used in container privilege escalation attacks.
“Although Gould’s proof-of-concept isn’t a plug-and-play weaponized script, it includes enough technical detail and payload structure for advanced threat actors to replicate the attack.”
With both vulnerabilities already exploited in real-world attacks, the public release of this exploit research is expected to trigger a further spike in malicious activity targeting unpatched Cisco ISE deployments.
There are no available workarounds for either CVE-2025-20281 or CVE-2025-20337. Cisco’s advisory remains the only official mitigation path, directing users to install the necessary patches without delay.
