Cisco recently released updates to address two critical security vulnerabilities in its Identity Services Engine (ISE), which could allow remote attackers to execute arbitrary commands and escalate privileges on vulnerable devices. The first flaw, identified as CVE-2025-20124, has a CVSS score of 9.9 and is an insecure Java deserialization vulnerability in an API of Cisco ISE. This vulnerability could allow an authenticated, remote attacker to execute commands as the root user on an affected device. The second flaw, CVE-2025-20125, carries a CVSS score of 9.1 and involves an authorization bypass vulnerability in an API, enabling an attacker with valid read-only credentials to access sensitive information, alter node configurations, and restart the node.
These vulnerabilities can be exploited by sending a crafted serialized Java object or HTTP request to an unspecified API endpoint, leading to privilege escalation and code execution. Cisco has confirmed that these two flaws are not dependent on each other and that no workarounds are available to mitigate them. As part of its security patching efforts, Cisco has provided fixed releases for various ISE software versions, including version 3.0, 3.1 (fixed in 3.1P10), 3.2 (fixed in 3.2P7), and 3.3 (fixed in 3.3P4), while ISE 3.4 is not vulnerable to these issues.
Deloitte security researchers Dan Marin and Sebastian Radulea discovered and reported the vulnerabilities. Although Cisco stated it is not aware of any malicious exploitation of these flaws, the company has advised users to apply the relevant updates to their systems to avoid potential risks.
Ensuring systems are up-to-date is critical for safeguarding against such security issues and minimizing exposure to remote attacks.
With these updates, Cisco aims to strengthen the security of its ISE platform and protect its users from potential threats. Organizations relying on Cisco ISE for network management should prioritize patching these vulnerabilities to ensure the continued security and integrity of their systems. This incident highlights the growing need for organizations to stay proactive in addressing vulnerabilities, especially those that could lead to unauthorized access and privilege escalation.
