Critical Vulnerabilities in Cisco’s Identity Services Engine: A Detailed Analysis

February 6, 2025

Cisco has issued fixes for two critical vulnerabilities in its Identity Services Engine (ISE), a platform used by businesses for identity and access management. These vulnerabilities, CVE-2025-20124 and CVE-2025-20125, can be exploited by authenticated remote attackers with read-only administrative privileges, allowing them to execute arbitrary commands as root and bypass authorization on devices that have not been patched. Both vulnerabilities affect Cisco ISE and Cisco ISE Passive Identity Connector (ISE-PIC) appliances, irrespective of the device configuration.

"This vulnerability is due to insecure deserialization of user-supplied Java byte streams by the affected software," Cisco stated while explaining the CVE-2025-20124 bug, which has a severity rating of 9.9 out of 10. "An attacker could exploit this vulnerability by sending a crafted serialized Java object to an affected API. A successful exploit could allow the attacker to execute arbitrary commands on the device and elevate privileges."

The second vulnerability, CVE-2025-20125, is due to a lack of authorization in a specific API and improper validation of user-supplied data. This vulnerability can be exploited using maliciously crafted HTTP requests to obtain information, modify a vulnerable system's configuration, and reload the device. Administrators are urged to upgrade or migrate their Cisco ISE appliances to one of the fixed releases as soon as possible.

As of now, Cisco's Product Security Incident Response Team (PSIRT) has not found any evidence of publicly available exploit code or that these two critical security flaws, reported by Deloitte security researchers Dan Marin and Sebastian Radulea, have been used in attacks. On the same day, Cisco also issued a warning about high-severity vulnerabilities affecting its IOS, IOS XE, IOS XR (CVE-2025-20169, CVE-2025-20170, CVE-2025-20171) and NX-OS (CVE-2024-20397) software that can allow attackers to trigger denial of service (DoS) conditions or bypass NX-OS image signature verification.

Cisco has yet to release patches for the DoS vulnerabilities affecting IOS, IOS XE, and IOS XR software with the SNMP feature enabled. However, it stated that these vulnerabilities are not being exploited in the wild and provided mitigation measures requiring administrators to disable vulnerable object identifiers (OIDs) on vulnerable devices, despite potential negative impacts on network functionality or performance. Cisco plans to release software updates to address the SNMP DoS security bugs in February and March.

In September, Cisco resolved another Identity Services Engine vulnerability (with public exploit code) that allows threat actors to escalate privileges to root on vulnerable appliances. Two months later, it also patched a maximum severity vulnerability that allows attackers to run commands with root privileges on vulnerable Ultra-Reliable Wireless Backhaul (URWB) access points.

Latest News

• Urgent Call to Secure Systems Against Ongoing Attacks Exploiting Microsoft Outlook RCE Vulnerability
• CISA Mandates Federal Agencies to Address Linux Kernel Vulnerability
• CISA Highlights Exploited Flaws in Microsoft .NET and Apache OFBiz
• Zyxel Refuses to Patch Actively Exploited Flaws in Discontinued Routers
• Zero-Day Attacks Exploit 7-Zip Vulnerability to Target Ukrainian Entities