Overview
CVE: CVE-2025-20337
Severity: CRITICAL
Score: 10.0
Date: 17 July 2025
Cisco has disclosed a critical unauthenticated remote code execution (RCE) vulnerability in Identity Services Engine (ISE) and ISE-PIC. The flaw allows a remote attacker to execute arbitrary commands as the root user without any credentials. Exploitation occurs via crafted API requests and affects core identity infrastructure.
Affected Versions
- Cisco ISE 3.3 and earlier (pre-Patch 7)
- Cisco ISE 3.4 (pre-Patch 2)
- ISE-PIC equivalent builds
Vulnerability Breakdown
CVE-2025-20337
- Description: Insufficient input validation in ISE APIs.
- Score: CVSS 10.0
- Impact: Complete remote system takeover as root, unauthenticated.
- Risk: Immediate risk to enterprise network access and identity services.
Mitigation
Upgrade immediately to:
- Cisco ISE 3.4 Patch 2 or later
- Cisco ISE 3.3 Patch 7 + hotfix
No workarounds exist. Ensure management interfaces are not exposed to untrusted networks.
Summary for IT Teams
- Products: Cisco ISE, ISE-PIC
- Threat Level: Critical
- Action:
- Patch to safe versions immediately
- Audit firewall rules to restrict API and admin access
- Monitor for unusual authentication or API traffic
References
Need Help?
If your organisation requires assistance identifying affected systems, applying updates or adjusting controller configurations, our team is here to help. Email us via soc@secure-iss.com for assistance.