July 18th, 2025

Critical Unauthenticated RCE in Cisco ISE (CVE-2025-20337) Threatens Network Access Control Integrity

Critical

Our Cyber Threat Intelligence Unit has been monitoring a critical vulnerability (CVE-2025-20337) affecting Cisco's ISE and (Identity Service Engine) and ISE-PIC (Passive Identity Connector) platforms, as disclosed by Cisco. This unauthenticated RCE (Remote Code Execution) flaw allows remote attackers to execute arbitrary commands as the root user through a specially crafted API request. Since it requires no authentication and involves root-level access, this vulnerability has a CVSS score of 10.0 and requires immediate attention. ISE is commonly used for identity-based network access control, making this vulnerability highly impactful to enterprise security architectures that depend on zero-trust policies and posture assessment.

Technical Details

Vulnerability ID: CVE-2025-20337.
Type: Unauthenticated Remote Code Execution.
Severity Level: 10.0 (Critical).
Attack Vector: Remote via HTTP(S).
Authentication Required: No.
Privileges Required: None.
User Interaction: None.
Vulnerable Components: ISE REST API interface.
Root Cause: Improper input validation on exposed API endpoints.
Patched Versions:
ISE 3.3 → Patch 7
ISE 3.4 / ISE-PIC → Patch 2

The vulnerability stems from how ISE’s APIs handle user input. Attackers can send specially crafted HTTP requests to ISE's API endpoints and execute commands with root privileges without needing authentication. This issue is separate from but related to CVE-2025-20281 and CVE-2025-20282, which were previously disclosed and involve RCE through insecure API handling.

Impact

Compromise of Administrative Control: Allows attackers to gain root shell access, leading to complete system takeover.
Lateral Movement & Credential Theft: Attackers may pivot into internal networks, capture authentication tokens, or deploy additional tooling.
Breakdown of NAC & Zero Trust: Compromising ISE directly impacts an organization’s network access enforcement and segmentation models.
No Authentication Barrier: Can be executed from any network with HTTP/S access to ISE’s management interface.

Detection Method

Although exploitation of CVE-2025-20337 has not yet been observed in the wild, the following detection methods are recommended:

Log-Based Detection:
- Monitor for unexpected HTTP POST or PUT requests to:
  - /admin/API/mnt/Session/
  - /admin/API/mnt/System/
- Look for root-level command execution logs in:
  - /var/log/ise/system.log
  - /opt/CSCOcpm/logs/
Network Detection:
- Flag unauthenticated access attempts to TCP port 443 or 9060 (ISE default ports).
- Deploy IDS/IPS signatures for known payload patterns (if publicly available).
Behavioral Indicators:
- Unusual creation of local users or SSH keys.
- Outbound traffic from the ISE host to unknown IPs.
- Configuration changes to authentication/authorization policies.

Indicators of Compromise

There are no Indicators of Compromise (IOCs) for this Advisory.

mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

Patch Immediately:
- Apply Patch 7 for ISE 3.3 and Patch 2 for ISE 3.4 / ISE-PIC.
- Cisco notes that previous hotfixes for other CVEs (e.g., CVE-2025-20281) do not cover this vulnerability.
Restrict Access:
- Limit access to ISE management interfaces to trusted IPs only.
- Apply ACLs or firewall rules around ISE API endpoints.
Monitor for Indicators:
- Enable verbose API logging.
- Use EDR and NDR tools to monitor post-exploitation behaviors.
Review Prior CVEs: Ensure your environment is also patched for:
- CVE-2025-20281
- CVE-2025-20282
Network Segmentation: Isolate ISE appliances from direct internet access and limit exposure within internal networks.

Conclusion

CVE-2025-20337 is among the most serious Cisco ISE vulnerabilities disclosed to date, allowing unauthenticated attackers to gain complete remote control of the system. Although no active exploitation has been confirmed, its simplicity, lack of authentication, and high privilege level make it extremely dangerous for unpatched environments. We urge organizations relying on Cisco ISE for network segmentation and identity enforcement to treat this vulnerability as a critical incident and take immediate action to remediate it. Ongoing monitoring should also be maintained even after the patch is applied to detect any signs of unauthorized access.

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6

https://www.bleepingcomputer.com/news/security/max-severity-cisco-ise-bug-allows-pre-auth-command-execution-patch-now/

https://thehackernews.com/2025/07/cisco-warns-of-critical-ise-flaw.html

https://securityaffairs.com/180044/security/cisco-patches-critical-cve-2025-20337-bug-in-identity-services-engine-with-cvss-10-severity.html

https://secure-iss.com/soc-advisory-unauthenticated-remote-code-execution-in-cisco-ise-cve-2025-20337-17-july-2025/

https://www.darkreading.com/application-security/cisco-cvss-10-flaw-ise-ise-pic-patch-now

Critical Cisco ISE Vulnerability Allows Remote Attacker to Execute Commands as Root User