Attackers have begun actively targeting critical vulnerabilities in Cisco's Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE‑PIC), less than a month after patches were made available.
The flaws, CVE‑2025‑20281 and CVE‑2025‑20337, allow unauthenticated users to execute arbitrary commands at the root level via manipulated API inputs. A third issue, CVE‑2025‑20282, enables arbitrary file uploads to privileged directories.
All three bugs received a maximum severity score of 10/10. Cisco addressed them in 3.3 Patch 7 and 3.4 Patch 2. Despite no confirmed public breaches, the company has reported attempted exploits in the wild and is urging immediate updates.
Given ISE's role in enterprise network access control and policy enforcement, compromised systems could provide attackers with pervasive root-level access. Security teams should prioritise patching, audit their ISE/ISE‑PIC deployments, and monitor API logs for unusual activity.
