SOC Advisory – Unauthenticated Remote Code Execution in Cisco ISE (CVE-2025-20337) – 17 July 2025

Overview

CVE: CVE-2025-20337
Severity: CRITICAL
Score: 10.0
Date: 17 July 2025

Cisco has disclosed a critical unauthenticated remote code execution (RCE) vulnerability in Identity Services Engine (ISE) and ISE-PIC. The flaw allows a remote attacker to execute arbitrary commands as the root user without any credentials. Exploitation occurs via crafted API requests and affects core identity infrastructure.

Affected Versions

• Cisco ISE 3.3 and earlier (pre-Patch 7)
• Cisco ISE 3.4 (pre-Patch 2)
• ISE-PIC equivalent builds

Vulnerability Breakdown

CVE-2025-20337

• Description: Insufficient input validation in ISE APIs.
• Score: CVSS 10.0
• Impact: Complete remote system takeover as root, unauthenticated.
• Risk: Immediate risk to enterprise network access and identity services.

Mitigation

Upgrade immediately to:

• Cisco ISE 3.4 Patch 2 or later
• Cisco ISE 3.3 Patch 7 + hotfix

No workarounds exist. Ensure management interfaces are not exposed to untrusted networks.

Summary for IT Teams

• Products: Cisco ISE, ISE-PIC
• Threat Level: Critical
• Action:
  • Patch to safe versions immediately
  • Audit firewall rules to restrict API and admin access
  • Monitor for unusual authentication or API traffic

References

• Cisco Security Advisory
• CVE

Need Help?

If your organisation requires assistance identifying affected systems, applying updates or adjusting controller configurations, our team is here to help. Email us via soc@secure-iss.com for assistance.