{"id":14465,"date":"2025-07-18T12:31:07","date_gmt":"2025-07-18T12:31:07","guid":{"rendered":"https:\/\/newestek.com\/?p=14465"},"modified":"2025-07-18T12:31:07","modified_gmt":"2025-07-18T12:31:07","slug":"cisco-warns-of-another-critical-rce-flaw-in-ise-urges-immediate-patching","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14465","title":{"rendered":"Cisco warns of another critical RCE flaw in ISE, urges immediate patching"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>Cisco has dropped another maximum severity advisory detailing an unauthenticated remote code execution (RCE) flaw in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC).<\/p>\n<p>The networking equipment giant warned that the flaw, much similar to a critical bug it fixed last month, stems from insufficient input validation in a public API.<\/p>\n<p>\u201cCisco\u2019s disclosure of the flaw highlights a troubling pattern in API-exposed infrastructure \u2014 insufficient input validation leading to unauthenticated remote code execution,\u201d said Randolph Barr, chief information security officer at Cequence Security. \u201cWith a CVSS score of 10, this is a worst-case scenario: attackers can remotely gain root access without credentials or user interactions.\u201d<\/p>\n<p>Cisco has <a href=\"https:\/\/sec.cloudapps.cisco.com\/security\/center\/content\/CiscoSecurityAdvisory\/cisco-sa-ise-unauth-rce-ZAd2GnJ6\" target=\"_blank\" rel=\"noreferrer noopener\">urged<\/a> admins to consider the flaw as separate from CVE-2025-20281, another max-severity bug impacting the same identity and access management (IAM) products, and apply a targeted patch it has now released.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Root-level API RCE via crafted requests<\/h2>\n<p>The flaw, tracked as<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-20337\" target=\"_blank\" rel=\"noreferrer noopener\"> CVE-2025-20337<\/a>, affects ISE and ISE-PIC versions 3.3 and 3.4 (but not 3.2 or earlier) and allows an attacker to run commands or malicious files as root, no credentials needed.<\/p>\n<p>According to the Cisco advisory, incomplete request sanitization on a specific API, also the one affected by <a href=\"https:\/\/www.csoonline.com\/article\/4013597\/cisco-warns-of-critical-api-vulnerabilities-in-ise-and-ise-pic.html\">CVE-2025-20281<\/a>, of Cisco ISE and Cisco ISE PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root.<\/p>\n<p>Barr believes the flaw is all the more concerning with the rise of generative AI.<\/p>\n<p>\u201cWhat\u2019s particularly concerning in 2025 is the role of generative AI in democratizing exploitation,\u201d he said.\u201cAttackers with little technical experience can now use AI to identify exposed Cisco ISE systems, craft malicious API requests, and launch targeted attacks, significantly accelerating the threat window.\u201d<\/p>\n<p>The bug is fixed in Cisco ISE Release 3.4 Patch 2 and Release 3.3 Patch 7. Cisco said there are no workarounds, and updating to a fixed version is the only remediation.<\/p>\n<p>The company also warned that hot patches, \u201cise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz\u201d and \u201cise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gz,\u201d installed in response to CVE-2025-20281, did not address CVE-2025-20337, and customers will have to update to the dedicated patched releases.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Faster patching is needed<\/h2>\n<p>Barr is concerned about the flaw in finding N-day abuse. \u201cWhile it\u2019s positive that Cisco is transparent in disclosure and swift in releasing patches, the reality is that patching these types of vulnerabilities \u2014 especially in large, distributed enterprise environments \u2014 is not instantaneous,\u201d he said. \u201cRestart requirements and dependencies on high-availability setups often delay full remediation.\u201d<\/p>\n<p>He added that the speed and simplicity of modern exploit development, especially through AI, should be a concern.<\/p>\n<p>Jason Soroko, senior fellow at Sectigo, is more worried about the blast radius of a potential exploit. \u201cISE sits at the very edge of trust for many campus networks, and a breach can rewrite access policies, move endpoints between VLANs, and open pivots into every segment,\u201d he said. \u201cThe vulnerable API is often reachable from broad internal address ranges, sometimes even guest Wi-Fi, and ISE patching requires disruptive maintenance windows.\u201d<\/p>\n<p>Active targeting feels likely because the flaws (CVE-2025-20281)\u00a0already attracted public proof-of-concept exploits and scan traffic within days, Soroko added.<\/p>\n<p>For additional protection, Barr recommends using specialized API security solutions that can detect and block anomalous API activity in real time, provide endpoint-risk scoring, and stop automated scanning and payload delivery.<\/p>\n<p>Cisco has had a busy month, weathering a downpour of max-severity bugs. Earlier this month, the company patched <a href=\"https:\/\/www.csoonline.com\/article\/4016769\/hardcoded-root-credentials-in-cisco-unified-cm-trigger-max-severity-alert.html\">another root-access issue<\/a> in its communications gear, though that one was self-inflicted, with DevOps quietly stashing hardcoded credentials for internal use.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Cisco has dropped another maximum severity advisory detailing an unauthenticated remote code execution (RCE) flaw in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC). The networking equipment giant warned that the flaw, much similar to a critical bug it fixed last month, stems from insufficient input validation in a public API. \u201cCisco\u2019s disclosure of the flaw highlights a troubling pattern in API-exposed&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=14465\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14465","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14465","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14465"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14465\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14465"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14465"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14465"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}