How to fix CVE-2025-20281?

Within 24 hours: Isolate affected Cisco ISE/ISE-PIC systems from untrusted networks; disable external API access where operationally feasible; enable enhanced logging and monitoring for suspicious API requests. Within 7 days: Conduct inventory of all ISE/ISE-PIC deployments and their network exposure; implement network segmentation to restrict API access to authorized sources only; deploy WAF rules to block malicious payloads targeting the vulnerable API endpoint. Within 30 days: Continuously monitor Cisco security advisories for patch availability; prepare and test patch deployment procedures; consider architectural changes to reduce ISE internet exposure if applicable.

Is Identity Services Engine Passive Identity Connector affected by CVE-2025-20281?

A critical, actively exploited vulnerability in Cisco ISE and ISE-PIC allows unauthenticated attackers to gain root-level control of affected systems without requiring valid credentials.

CVE-2025-20281

EUVD-2025-19167 CRITICAL

2025-06-25 [email protected]

10.0

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 15, 2026 - 23:19 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 23:19 euvd

EUVD-2025-19167

Added to CISA KEV

Oct 28, 2025 - 13:59 cisa

CISA KEV

PoC Detected

Oct 28, 2025 - 13:59 vuln.today

Public exploit code

CVE Published

Jun 25, 2025 - 16:15 nvd

CRITICAL 10.0

Description

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this vulnerability. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device.

Analysis

Cisco ISE and ISE-PIC contain a critical input injection vulnerability (CVE-2025-20281, CVSS 10.0) that allows unauthenticated remote attackers to execute arbitrary code as root on the underlying operating system. With EPSS 30.4% and KEV listing, this vulnerability targets the network access control platform that governs who and what can access the enterprise network — compromising ISE means controlling network admission for the entire organization.

Technical Context

Cisco ISE (Identity Services Engine) is the central NAC (Network Access Control) platform that authenticates users and devices, enforces access policies, and controls who can connect to the network. The vulnerability exists in an API endpoint that does not require authentication and fails to properly validate user input. Successful exploitation provides root-level code execution on the ISE appliance. Compromise of ISE gives attackers control over network access policies for the entire organization.

Affected Products

['Cisco Identity Services Engine (ISE)', 'Cisco ISE Passive Identity Connector (ISE-PIC)']

Remediation

Apply Cisco security update IMMEDIATELY — emergency priority. Restrict API access to trusted management networks. Monitor ISE policy changes for unauthorized modifications. Audit network access logs for suspicious device admissions. Review RADIUS/TACACS configurations for tampering.

Priority Score

150

Low Medium High Critical

KEV: +50

EPSS: +30.4

CVSS: +50

POC: +20

CVE-2025-20281 vulnerability details – vuln.today

Back

CVE-2025-20281

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-20281

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code