Cisco ISE vulnerabilities actively targeted by attackers

The vulnerabilities stem from manipulated API inputs or file uploads in unpatched versions on ISE 3.3 and 3.4.
Cisco ISE vulnerabilities, CVE‑2025‑20281, CVE‑2025‑20282, CVE‑2025‑20337, ISE Passive Identity Connector, root code execution, unauthenticated RCE, network access control, ISE patch, enterprise cybersecurity, live exploit attempts, API attack, critical vulnerability Cisco

Attackers have begun actively targeting critical vulnerabilities in Cisco’s Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE‑PIC), less than a month after patches were made available.

The flaws, CVE‑2025‑20281 and CVE‑2025‑20337, allow unauthenticated users to execute arbitrary commands at the root level via manipulated API inputs. A third issue, CVE‑2025‑20282, enables arbitrary file uploads to privileged directories.

All three bugs received a maximum severity score of 10/10. Cisco addressed them in 3.3 Patch 7 and 3.4 Patch 2. Despite no confirmed public breaches, the company has reported attempted exploits in the wild and is urging immediate updates.

Given ISE’s role in enterprise network access control and policy enforcement, compromised systems could provide attackers with pervasive root-level access. Security teams should prioritise patching, audit their ISE/ISE‑PIC deployments, and monitor API logs for unusual activity.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!