Cisco Patches Two Critical RCE Vulnerabilities in ISE and ISE-PIC

Red Dog Security

01 Jul 2025 — 1 min read

Cisco has issued an urgent advisory regarding two critical unauthenticated remote code execution (RCE) vulnerabilities impacting its Identity Services Engine (ISE) and Passive Identity Connector (ISE-PIC) products.

The flaws—CVE-2025-20281 and CVE-2025-20282—have each been assigned a CVSS severity score of 10.0, the highest possible rating. The first vulnerability affects ISE and ISE-PIC versions 3.3 and 3.4, while the second is limited to version 3.4.

Vulnerability Breakdown

CVE-2025-20281
Caused by insufficient input validation in an exposed API, this flaw allows an unauthenticated remote attacker to send specially crafted API requests and execute arbitrary commands with root privileges.

CVE-2025-20282
This vulnerability stems from inadequate file validation in an internal API. It enables unauthenticated attackers to upload arbitrary files to privileged directories, allowing malicious file execution with root-level access.

Why It Matters

Cisco ISE is a cornerstone of enterprise network security, providing:

Network Access Control (NAC)
Identity and device management
Policy enforcement and segmentation

It is widely deployed across enterprise networks, government infrastructure, higher education, and service providers. These vulnerabilities pose a severe risk of compromise, particularly if exploited before patches are applied.

Current Status & Mitigation

Cisco confirms that no active exploitation has been observed, and no public proof-of-concept exploits are currently available. However, given the unauthenticated RCE impact, immediate action is advised.

Affected Versions & Fixed Builds:

ISE/ISE-PIC 3.3 → Patch to:
ise-apply-CSCwo99449_3.3.0.430_patch4 (Patch 6)
ISE/ISE-PIC 3.4 → Patch to:
ise-apply-CSCwo99449_3.4.0.608_patch1 (Patch 2) or later

No workarounds are available — patching is the only mitigation.

⏱ Why You Must Act Now

No authentication is required for exploitation
Successful attacks grant full root access
ISE is a high-value target for attackers seeking persistence and control
Enterprise impact could be severe if left unpatched

Organizations running Cisco ISE should prioritize patch deployment to avoid becoming a target of future exploits. These vulnerabilities have the potential to enable deep and persistent access to sensitive network infrastructure—making immediate remediation not just a best practice, but a necessity.

352 Android Apps Infected with IconAds Adware

Security researchers at Human Security have uncovered a massive ad fraud operation dubbed IconAds, involving 352 malicious Android apps previously available on the Google Play Store. At its peak, the campaign generated over 1.2 billion ad requests per day, primarily targeting users in Brazil, Mexico, and the United States.

AI Chatbots Like ChatGPT Are Providing Fake URLs for Major Companies

Cybersecurity analysts at Netcraft have uncovered a troubling trend: AI chatbots frequently generate incorrect or misleading URLs when asked to provide official website links for major brands. According to researchers, this flaw opens a dangerous new vector for phishing and domain hijacking attacks. Key Findings from Netcraft’s Study The

Hackers Leak Allegedly Stolen Telefónica Data

A hacker is threatening to release 106 GB of data allegedly stolen from Spanish telecommunications giant Telefónica, though the company firmly denies any recent breach or data compromise. The threat actor, operating under the alias “Rey,” claims the intrusion occurred on May 30, during which over 12 hours of data

.es Domains Become 19 Times More Popular Among Phishers

Cybersecurity researchers at Cofense report a dramatic rise in phishing campaigns leveraging .es domains, which are officially reserved for Spanish-language websites or entities based in Spain. The use of these domains by cybercriminals has surged 19-fold since the beginning of 2025, making .es the third most exploited top-level domain (TLD)