{"id":14342,"date":"2025-06-27T01:32:45","date_gmt":"2025-06-27T01:32:45","guid":{"rendered":"https:\/\/newestek.com\/?p=14342"},"modified":"2025-06-27T01:32:45","modified_gmt":"2025-06-27T01:32:45","slug":"cisco-warns-of-critical-api-vulnerabilities-in-ise-and-ise-pic","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14342","title":{"rendered":"Cisco warns of critical API vulnerabilities in ISE and ISE-PIC"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

CSOs are being urged to quickly patch multiple vulnerabilities in Cisco Systems Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) that could allow an unauthenticated, remote attacker to issue commands on the underlying operating system as the\u00a0root\u00a0<\/em>user.<\/p>\n

The fault behind both vulnerabilities: Holes in application programming interfaces (APIs).<\/p>\n

\u201cTake this vulnerability seriously,\u201d said Moses Frost, senior course instructor on cloud penetration testing at the SANS Institute. \u201cIn my experience assessing networks, I have found through testing that many lack essential patches and security hardening on their core network devices. I have seen Cisco ISE deployments where regular users can freely access all ports on ISE, including Administrative pages. Assume threat actors would also have lateral access from inside the network. Although this is not best practice from Cisco, many production deployments make these APIs accessible. If you are running ISE, patch this now.\u201d<\/p>\n

How big is the risk? Cisco ISE is often used as a wireless authentication system, Frost pointed out, which frequently includes guest network portals, and it\u2019s also likely integrated into Microsoft Active Directory as a highly trusted system. It is also used to authenticate access to the administration layers of routers, switches, firewalls, and other network devices \u2014 and it can be used as a network access control (NAC) product.<\/p>\n

\u2018One of the worst I\u2019ve seen\u2019<\/h2>\n

\u201cThis is probably one of the worst [flaws] I have seen in terms of impact,\u201d said Kellman Meghu, principal security architect at DeepCove Cybersecurity. \u201cIt is a path for an unauthenticated, remote attacker to gain the highest-level privilege possible, so I am not even sure how it gets much worse that this, and then it does.\u201d<\/p>\n

\u201cThis is most serious for companies that are failing to perform the proper security hygiene,\u201d said Robert Beggs, CEO of Canadian incident response firm Digital Defence.<\/p>\n

By that he means those that don\u2019t have a hardware inventory that includes network components, who don\u2019t monitor vendor or media announcements of recent vulnerabilities, or who lack the licensing that facilitates system upgrades and patches.\u00a0<\/p>\n

Cisco has patches for these issues, but they aren\u2019t delivered automatically, he pointed out, and admins have to follow Cisco\u2019s process to obtain the patch.<\/p>\n

Because ISE is the gatekeeper for network access (wired, wireless, VPN, or guest access), he warned, root access will allow attackers to gain the credentials for full movement through all network segments.<\/p>\n

\u201cAt present, there are no reports that these are being exploited in the wild,\u201d he said in an email to CSO. \u201cHowever, they are zero-interaction\u00a0exploits, so it is possible for attacks to go undetected. Because there is no need to authenticate, it is critical to apply the patches as soon as possible, as exploits will likely be available soon \u2014 if they are not already in use.\u201d<\/p>\n

Rated critical<\/h2>\n

The vulnerabilities \u2014 rated by Cisco as critical <\/a>\u2014 are:<\/p>\n