New Report Alert: Top Ransomware Attacks of 2025. Being Prepared for 2026
Get a Demo

Vulnerabilities

CVE-2025-20281

Critical Unauthenticated RCE in Cisco ISE via Malicious API Requests: CVE-2025-20281 Demystified

Vulnerability Overview

Vulnerability Overview

CVE ID: CVE-2025-20281

CVE Title: Cisco ISE API Unauthenticated Remote Code Execution

Severity: Critical

Exploit Status: Actively exploited in the wild

Business Risk: Full takeover of Cisco ISE/ISE-PIC servers with root access, service disruption, and exposure of sensitive data.

Compliance Impact: Possible violations of data protection and security compliance frameworks due to unauthorized system control, weak access safeguards, and risk of system-wide compromise.

Summary

CVE-2025-20281 is a critical flaw in Cisco ISE/ISE-PIC that allows unauthenticated remote attackers to execute commands as root. Affecting 3.3 and 3.4 releases, it’s rated CVSS 10.0 with no workarounds and public exploits available. Immediate patching (3.3 Patch 6, 3.4 Patch 2) is essential to avoid full system compromise.

Urgent Actions Required

Upgrade Cisco ISE 3.3 to Patch 6 and Cisco ISE 3.4 to Patch 2 as soon as possible.

No workarounds are available, so patching is the only effective mitigation. Monitor Cisco advisories and system logs closely for any unusual or suspicious API activity.

Which Systems Are Vulnerable to CVE-2025-20281?

Technical Overview

  • Vulnerability Type: Remote Code Execution via Improper Input Validation in API
  • Affected Software/Versions:
    • Cisco Identity Services Engine (ISE) 3.3 (before Patch 6)
    • Cisco Identity Services Engine (ISE) 3.4 (before Patch 2)
    • Cisco ISE-PIC (same versions as above)
  • Attack Vector: Network (API request over HTTP/HTTPS)
  • CVSS Score: 10.0
  • CVSS Vector: CVSS:3.1
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
  • Patch Availability: Yes - fixed in Cisco ISE 3.3 Patch 6 and 3.4 Patch 2[1]

How Does the CVE-2025-20281 Exploit Work?

The attack typically follows these steps:

How Does the CVE-2025-20281 Exploit Work

What Causes CVE-2025-20281?

Vulnerability Root Cause:

The flaw comes from poor input validation in a public API of Cisco ISE/ISE-PIC. Attackers can send crafted requests to inject OS commands, which the system runs with root privileges, resulting in full remote code execution.

How Can You Mitigate CVE-2025-20281?

No official workarounds are currently available for this vulnerability. The only effective mitigation is to apply Cisco’s security updates.

Upgrade to Cisco ISE/ISE-PIC 3.3 Patch 6 or 3.4 Patch 2 as soon as possible to fully address the issue.

Which Assets and Systems Are at Risk?

Asset Types Affected:

  • Cisco Identity Services Engine (ISE) appliances
  • Cisco ISE-PIC (Passive Identity Connector) appliances

Business-Critical Systems at Risk:

  • Network Access Control platforms – core to managing user/device authentication in enterprise networks
  • Identity and Policy Management systems – central for enforcing security and compliance policies
  • Integrated IT/security environments – where Cisco ISE is tied to Active Directory, VPNs, or security appliances

Exposure Level:

  • Internet-exposed Cisco ISE/ISE-PIC systems – most at risk due to remote unauthenticated exploitability
  • Internal enterprise networks – also vulnerable if attackers gain network foothold and can reach the API endpoint

Will Patching CVE-2025-20281 Cause Downtime?

Patch application impact: Patch application may require standard upgrade and reboot procedures; organizations should plan maintenance windows accordingly.

Remediation & Response

Patch/Upgrade Instructions:

  • Customers should upgrade to the fixed releases specified in the official Cisco advisory.[1]

Remediation Timeline:

  • Cisco strongly recommends applying the patch immediately.
  • Until upgraded, affected Cisco ISE appliances remain exposed to attempted exploitation.

Rollback Plan:

If the upgrade introduces operational issues, revert to the previous known stable Cisco ISE release and schedule reapplication of the patched version once validated.

Incident Response Considerations:

Admins should review system and access logs for signs of suspicious API activity and ensure deployments are fully patched.

Where Can I Find More Information on CVE-2025-49706?

  1. ^Cisco Identity Services Engine Unauthenticated Remote Code Execution Vulnerabilities
  2. ^NVD – CVE-2025-20281
  3. ^CVE-2025-20281 : A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an
  4. ^CVE-2025-20281 – Cisco Identity Services Engine Injection Vulnerability – [Actively Exploited]

CVSS Breakdown Table

MetricValue Description
Base Score10.0Critical severity, maximum impact and exploitability
Attack VectorNetworkVulnerable remotely over HTTP/HTTPS
Attack ComplexityLowStraightforward exploitation: no special conditions required
Privileges RequiredNoneNo authentication or privileges needed to exploit
User Interaction NoneNo user involvement (e.g., no clicks) is necessary
Scope Changed Exploitation can extend impact beyond the Cisco ISE component
Confidentiality Impact HighFull exposure of sensitive information possible
Integrity ImpactHighAllows unauthorized data modification or tampering
Availability ImpactHighSuccessful exploitation can significantly disrupt system availability

Take Control of Your Network with Fidelis DSI

Download the Whitepaper

Related Readings

One Platform for All Adversaries

See Fidelis in action. Learn how our fast and scalable platforms provide full visibility, deep insights, and rapid response to help security teams across the World protect, detect, respond, and neutralize advanced cyber adversaries.

Get a Demo