On Monday, Cisco updated its advisory for a set of recently disclosed security flaws for the Identity Services Engine (ISE) and the ISE Passive Identity Connector (ISE-PIC) to acknowledge active exploitation.
“In July 2025, Cisco PSIRT (Product Security Incident Response Team) recognized attempts to exploit some of these vulnerabilities in the wild,” the company said with caution.
Network equipment vendors did not reveal which vulnerabilities were weaponized at the scale of their real-world attacks, threat actors’ identities, or activity.
Cisco ISE plays a central role in network access control, managing which users and devices are permitted to the corporate network and under what conditions. This layer of compromise allows attackers to give unlimited access to internal systems, bypass authentication controls, and cut down mechanisms.
All vulnerabilities outlined in the alert are all critical rate bugs (CVSS score: 10.0).
- CVE-2025-20281 and CVE-2025-20337 – Multiple vulnerabilities in a particular API allow uncertified remote attackers to run arbitrary code as root on the underlying operating system.
- CVE-2025-20282 – Internal API vulnerability that allows uncertified remote attackers to upload arbitrary files to an affected device and run those files on the underlying operating system as root
The first two flaws are the result of insufficient user-supported input validation, but the latter is due to the lack of file validation checks that prevent files uploaded to the privileged directories of the affected system from being placed.
As a result, an attacker can take advantage of these drawbacks by sending created API requests (for CVE-2025-20281 and CVE-2025-20337) or uploading the created files to the affected devices.
In light of aggressive exploitation, it is essential that customers upgrade to a fixed software release as soon as possible to fix these vulnerabilities. These flaws can be exploited remotely without authentication, resulting in high risk of previous remote code execution of unearned systems. This is the biggest concern for defenders managing critical infrastructure or compliance-driven environments.
Security teams should also check the system logs for suspicious API activity or uploading malformed files, especially in externally exposed deployments.
