Critical vulnerability addressed in Cisco Identity Services Engine requires immediate patching
A critical vulnerability, CVE-2025-20286, has been identified in Cisco's Identity Services Engine (ISE) that poses significant security risks to cloud-based deployments on Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI). This vulnerability, rated 9.9/10 in severity, includes a public proof of concept exploit and could lead to unauthorized access, service disruptions, and modification of system configurations.
The root cause of this vulnerability is the generation of static, shared credentials for the same ISE software version and cloud platform. This means that multiple deployments use identical internal credentials, increasing the attack surface since these credentials can be reused across deployments.
One of the potential impacts of this vulnerability is unauthorized access by unauthenticated attackers. By extracting static credentials from one cloud-based ISE instance, attackers could gain access to other instances on the same platform and version, even across different organizations. Attackers could also perform limited administrative actions and change critical system configurations, potentially causing service disruptions and compromising sensitive configuration data.
It is essential to note that on-premises Primary Administration Node (PAN) deployments are not affected by this vulnerability. However, cloud-based PAN deployments are at risk.
Cisco has released patches for ISE versions 3.1 to 3.4 on affected cloud platforms. Given the severity of the vulnerability (CVSS 9.9), Cisco has prioritized patching this flaw. There are no effective workarounds other than patching, and Cisco recommends restricting network traffic to only authorized administrators as a partial measure.
As an emergency measure, Cisco suggests resetting user credentials and configuration using the command `application reset-config ise`, though this resets the system to factory defaults and entails operational disruption. Ensuring the Primary Administration Node is deployed on-premises or using Cisco’s ISO/OVA software download artifacts instead of cloud-native templates can avoid exposure.
Continuous monitoring of cloud deployments for unusual access or configuration changes is crucial to detect and mitigate any potential threats.
In addition to CVE-2025-20286, Cisco has also patched two other vulnerabilities this week: CVE-2025-20129 and CVE-2025-20130. These vulnerabilities have a lower severity rating compared to CVE-2025-20286, with scores of 4.9. CVE-2025-20129 affects the web-based chat interface of Cisco's Customer Collaboration Platform (CCP) and could allow an authenticated user to persuade others to disclose sensitive data. CVE-2025-20130, on the other hand, could allow an attacker to upload arbitrary files to an affected system.
Organizations using Cisco ISE on the mentioned cloud platforms should urgently update their systems with Cisco’s patches and apply strict network access controls to mitigate the risk from these vulnerabilities. Regular monitoring of cloud deployments is crucial to ensure the security of sensitive data and services.
- In the context of this vulnerability, the use of static, shared credentials for the Identity Services Engine (ISE) software increases the attack surface, as multiple deployments on various cloud platforms share the same internal credentials.
- The significance of this issue goes beyond unauthorized access, as it also allows for limited administrative actions and configuration changes, potentially leading to service disruptions and compromise of sensitive data.
- To ensure security in data-and-cloud-computing environments, organizations using Cisco ISE on affected cloud platforms should prioritize installing the patches released for versions 3.1 to 3.4, and implement strict technology-based access controls, while also maintaining continuous monitoring for any unusual activity or configuration changes.
