Identity Services Engine
CVE-2023-20077
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to download arbitrary files from the filesystem of an affected device. These vulnerabilities are due to insufficient input validation. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to download arbitrary files from the underlying filesystem of the affected device.
AnalysisAI
Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to download arbitrary files from the filesystem of. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-37. Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to download arbitrary files from the filesystem of an affected device. These vulnerabilities are due to insufficient input validation. An attacker could exploit these vulnerabilities by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to download arbitrary files from the underlying filesystem of the affected device. Affected products include: Cisco Identity Services Engine.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Identity Services Engine
View allCisco ISE and ISE-PIC contain a critical input injection vulnerability (CVE-2025-20281, CVSS 10.0) that allows unauthent
A vulnerability in an API of Cisco ISE could allow an authenticated, remote attacker with valid read-only credentials to
A vulnerability in the authentication module of Cisco Identity Services Engine (ISE) could allow an unauthenticated, rem
CVE-2025-20282 is a critical remote code execution vulnerability in Cisco ISE and ISE-PIC that allows unauthenticated at
Default credentials in Cisco ISE cloud deployments on AWS/Azure/OCI. CVSS 9.9.
A vulnerability in the login page of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacke
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthentic
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthentic
A vulnerability in the web-based management interface of Cisco Identity Services Engine could allow an authenticated, re
A vulnerability in a specific Cisco ISE CLI command could allow an authenticated, local attacker to perform command inje
A vulnerability in the Localdisk Management feature of Cisco Identity Services Engine (ISE) could allow an authenticated
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthentic
Same weakness CWE-37 – Path Traversal: '/absolute/pathname/here'
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today