Critical ISE Vulnerabilities
Posted by: Ravie Lakshmanan on February 6, 2025
Categories: United States
Cisco Releases Updates to Address Critical ISE Vulnerabilities
Cisco has released updates to address two critical security flaws in its Identity Services Engine (ISE) that could allow remote attackers to execute arbitrary commands and elevate privileges on susceptible devices.
Vulnerabilities:
- CVE-2025-20124 (CVSS score: 9.9) – An insecure Java deserialization vulnerability in an API of Cisco ISE that could permit an authenticated, remote attacker to execute arbitrary commands as the root user on an affected device.
- CVE-2025-20125 (CVSS score: 9.1) – An authorization bypass vulnerability in an API of Cisco ISE could permit an authenticated, remote attacker with valid read-only credentials to obtain sensitive information, change node configurations, and restart the node.
Exploitation:
An attacker could weaponize either of the flaws by sending a crafted serialized Java object or an HTTP request to an unspecified API endpoint, leading to privilege escalation and code execution.
Fixed Versions:
Cisco has addressed the vulnerabilities in the following versions:
- Cisco ISE software release 3.0 (Migrate to a fixed release)
- Cisco ISE software release 3.1 (Fixed in 3.1P10)
- Cisco ISE software release 3.2 (Fixed in 3.2P7)
- Cisco ISE software release 3.3 (Fixed in 3.3P4)
- Cisco ISE software release 3.4 (Not vulnerable)
Discovery and Repair:
Deloitte security researchers Dan Marin and Sebastian Radulea have been credited with discovering and repairing the vulnerabilities.
Recommendation:
While Cisco is not aware of any malicious exploitation of the flaws, users are advised to keep their systems up-to-date for optimal protection.
Stay Informed:
Follow us on Twitter and LinkedIn to read more exclusive content we post.
