CVE-2025-20282

| EUVD-2025-19166 CRITICAL
2025-06-25 [email protected]
10.0
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 15, 2026 - 23:19 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 23:19 euvd
EUVD-2025-19166
CVE Published
Jun 25, 2025 - 17:15 nvd
CRITICAL 10.0

Tags

RCE Cisco Privilege Escalation Authentication Bypass Identity Services Engine Passive Identity Connector Identity Services Engine

Description

A vulnerability in an internal API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device and then execute those files on the underlying operating system as root. This vulnerability is due a lack of file validation checks that would prevent uploaded files from being placed in privileged directories on an affected system. An attacker could exploit this vulnerability by uploading a crafted file to the affected device. A successful exploit could allow the attacker to store malicious files on the affected system and then execute arbitrary code or obtain root privileges on the system.

Analysis

CVE-2025-20282 is a critical remote code execution vulnerability in Cisco ISE and ISE-PIC that allows unauthenticated attackers to upload arbitrary files to privileged directories and execute them as root via an internal API lacking file validation. This is a CVSS 10.0 vulnerability with complete system compromise impact; organizations running affected Cisco ISE deployments face immediate risk of total infrastructure takeover without authentication requirements or user interaction.

Technical Context

The vulnerability exists in an internal API endpoint within Cisco Identity Services Engine (ISE) and ISE-PIC (Policy Services Portal IC) that processes file uploads. The root cause is classified under CWE-269 (Improper Access Control / Incorrect Privilege Assignment), specifically the absence of path traversal and file type validation checks before placement of uploaded files. This allows attackers to write files directly to system directories (such as /bin, /sbin, or other privileged paths) where they execute with root privileges. The ISE platform typically runs on Linux-based appliances, and the vulnerable API endpoint should have implemented: (1) strict input validation on file names and paths, (2) canonicalization of file paths to prevent directory traversal, (3) whitelist-based file type validation, and (4) storage in non-executable, non-privileged directories with proper permission inheritance. CPE strings would identify: cpe:2.3:a:cisco:identity_services_engine and cpe:2.3:a:cisco:identity_services_engine_policy_services_portal_ic.

Affected Products

Cisco Identity Services Engine (ISE): Affected versions typically include releases prior to patched versions (specific versions from advisory: 3.2.x and earlier versions depending on the patch release; commonly 3.0.x, 3.1.x, 3.2.x are impacted). Cisco ISE-PIC (Policy Services Portal IC): Same version lineage affected. Deployment contexts: (1) Standalone ISE nodes (primary), (2) ISE distributed deployments (primary node, secondary nodes, policy services nodes), (3) Cloud-hosted ISE instances, (4) ISE-PIC standalone deployments. Organizations using ISE for enterprise network authentication, BYOD onboarding, endpoint profiling, or guest access management are affected. Virtual and physical appliance deployments are both vulnerable. Exact affected version ranges should be confirmed from Cisco security advisory (typically published as cisco-sa-2025-xxxxx).

Remediation

Immediate actions: (1) Apply Cisco security patch immediately—consult Cisco security advisory for specific patched versions (likely 3.2.x.x cumulative patch, 3.3.x GA, or later). (2) If patching cannot be completed immediately, implement network access controls: restrict API access to internal/trusted networks only, disable external API exposure, implement WAF rules to block file upload requests to the vulnerable endpoint. (3) Implement monitoring: audit logs for unusual file uploads, monitor /bin, /sbin, /usr/bin, /usr/sbin, and /root for unauthorized writes; alert on process execution from these directories by non-standard services. (4) Isolate affected ISE instances from untrusted networks until patched. (5) Review ISE deployment architecture: if ISE is directly internet-facing, implement network segmentation immediately. Vendor patch sources: Cisco Security Advisories page (https://tools.cisco.com/security/center/), search for CVE-2025-20282 or the corresponding cisco-sa advisory. Workarounds: None fully effective—patching is required. Mitigation: Network-based restrictions and monitoring can reduce but not eliminate risk.

Priority Score

50
Low Medium High Critical
KEV: 0
EPSS: +0.3
CVSS: +50
POC: 0

Share

CVE-2025-20282 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy