Cisco Patches critical vulnerability in Identity Services Engine(ISE)

Cisco has addressed a critical vulnerability, tracked as CVE-2025-20337 ( with a CVSS score of 10), in Identity Services Engine (ISE) and Cisco Identity Services Engine Passive Identity Connector (ISE-PIC). An unauthenticated attacker could trigger the vulnerability to execute arbitrary code on the underlying operating system with root privileges.

Vulnerability Summary:

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this vulnerability. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device.

The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory.

Affected Versions:

CVE-2025-20281 and CVE-2025-20337: These vulnerabilities affect Cisco ISE and ISE-PIC releases 3.3 and 3.4, regardless of device configuration. These vulnerabilities do not affect Cisco ISE and ISE-PIC Release 3.2 or earlier

If Cisco ISE is running Release 3.4 Patch 2, no further action is necessary.

If Cisco ISE is running Release 3.3 Patch 6, additional fixes are available in Release 3.3 Patch 7, and the device must be upgraded.

If Cisco ISE has either hot patch ise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gz or hot patch ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz installed, Cisco recommends upgrading to Release 3.3 Patch 7 or Release 3.4 Patch 2. The hot patches did not address CVE-2025-20337 and have been deferred from CCO

Workarounds:

There are no workarounds that address the vulnerability.

Recommended Actions:

Customers are advised to upgrade to an appropriate fixed software release as indicated in the following table.

Cisco has released free software updates that address the vulnerability described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels.

Cisco ISE or ISE-PIC Release	First Fixed Release for CVE-2025-20281	First Fixed Release for CVE-2025-20282	First Fixed Release for CVE-2025-20337
3.2 and Earlier	Not vulnerable	Not vulnerable	Not vulnerable
3.3	3.3 patch 7	Not vulnerable	3.3 patch 7
3.4	3.4 patch 2	3.4 patch 2	3.4 patch 2

Reference:

Cisco Security Bulletin – CVE-2025-20337

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.