Full Report
Cisco is warning that three recently patched critical remote code execution vulnerabilities in Cisco Identity Services Engine (ISE) are now being actively exploited in attacks. [...]
Analysis Summary
# Vulnerability: Cisco ISE/ISE-PIC Unauthenticated Remote Code Execution Flaws
## CVE Details
- CVE ID: CVE-2025-20337 (Note: The article implies three flaws, but only explicitly names one CVE, CVE-2025-20337. Description suggests multiple flaws share the 10.0 rating.)
- CVSS Score: 10.0 (Critical)
- CWE: Insufficient Input Validation (Implied)
## Affected Systems
- Products: Cisco Identity Services Engine (ISE) and ISE Policy Elements Core (ISE-PIC)
- Versions:
- ISE 3.3 (Prior to Patch 7)
- ISE 3.4 (Prior to Patch 2)
- Configurations: Specific details about which components contain the upload/API vulnerabilities are implied but not fully itemized across all three flaws. Users on ISE 3.2 or earlier are **not** affected.
## Vulnerability Description
The context describes three maximum-severity Remote Code Execution (RCE) vulnerabilities affecting Cisco ISE and ISE-PIC. One specific flaw involves a lack of file validation, allowing an attacker to upload malicious files into privileged directories and execute them as root. Another flaw (CVE-2025-20337) affects API requests due to insufficient input validation, allowing unauthenticated attackers to gain root access.
## Exploitation
- Status: Exploited in the wild (Explicitly stated: "now exploited in attacks")
- Complexity: Low (Implied by unauthenticated and network attack vectors)
- Attack Vector: Network (Remotely exploitable via API requests)
## Impact
- Confidentiality: High (Root access often leads to full compromise)
- Integrity: High (Root access often leads to full compromise)
- Availability: High (Root access often leads to full compromise)
## Remediation
### Patches
The recommended action is to upgrade to the following versions immediately:
- ISE 3.3 users: Upgrade to **Patch 7**
- ISE 3.4 users: Upgrade to **Patch 2**
Cisco previously released two separate hot patches for these issues.
### Workarounds
- There are **no workarounds** available for the three vulnerabilities. Applying the vendor patches is the *only* recommended course of action.
## Detection
- Detection indicators are not explicitly provided in the summary text, but active exploitation suggests monitoring for anomalous file uploads or unauthorized access attempts targeting ISE API endpoints.
## References
- Vendor advisories: (Not provided in the text block, but implied Cisco advisories exist)
- Relevant links:
- hxxps://www.bleepingcomputer.com/news/security/cisco-maximum-severity-ise-rce-flaws-now-exploited-in-attacks/