What is the CVSS score of CVE-2025-20282?

CVE-2025-20282 has a CVSS 3.1 base score of 10.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.3%.

Which versions of Identity Services Engine are affected by CVE-2025-20282?

Cisco ISE and ISE-PIC deployments face a critical, unpatched vulnerability allowing unauthenticated attackers to execute arbitrary code with root privileges.

How to fix or mitigate CVE-2025-20282?

Within 24 hours: Isolate affected Cisco ISE/ISE-PIC systems from untrusted networks; disable external API access if operationally feasible; enable detailed logging and monitoring. Within 7 days: Assess all ISE instances for exposure; implement network segmentation to restrict API access to trusted sources only; establish 24/7 incident monitoring. Within 30 days: Work with Cisco on patch timeline; evaluate migration to patched versions or alternative solutions; conduct forensic analysis for indicators of compromise.

Identity Services Engine CVE-2025-20282

EUVD-2025-19166 CRITICAL

Improper Privilege Management (CWE-269)

2025-06-25 psirt@cisco.com

Authentication Bypass Privilege Escalation RCE Cisco Identity Services Engine Identity Services Engine Passive Identity Connector

10.0

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 23:19 euvd

EUVD-2025-19166

Analysis Generated

Mar 15, 2026 - 23:19 vuln.today

CVE Published

Jun 25, 2025 - 17:15 nvd

CRITICAL 10.0

DescriptionNVD

A vulnerability in an internal API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device and then execute those files on the underlying operating system as root.

This vulnerability is due a lack of file validation checks that would prevent uploaded files from being placed in privileged directories on an affected system. An attacker could exploit this vulnerability by uploading a crafted file to the affected device. A successful exploit could allow the attacker to store malicious files on the affected system and then execute arbitrary code or obtain root privileges on the system.

AnalysisAI

CVE-2025-20282 is a critical remote code execution vulnerability in Cisco ISE and ISE-PIC that allows unauthenticated attackers to upload arbitrary files to privileged directories and execute them as root via an internal API lacking file validation. This is a CVSS 10.0 vulnerability with complete system compromise impact; organizations running affected Cisco ISE deployments face immediate risk of total infrastructure takeover without authentication requirements or user interaction.

Technical ContextAI

The vulnerability exists in an internal API endpoint within Cisco Identity Services Engine (ISE) and ISE-PIC (Policy Services Portal IC) that processes file uploads. The root cause is classified under CWE-269 (Improper Access Control / Incorrect Privilege Assignment), specifically the absence of path traversal and file type validation checks before placement of uploaded files. This allows attackers to write files directly to system directories (such as /bin, /sbin, or other privileged paths) where they execute with root privileges. The ISE platform typically runs on Linux-based appliances, and the vulnerable API endpoint should have implemented: (1) strict input validation on file names and paths, (2) canonicalization of file paths to prevent directory traversal, (3) whitelist-based file type validation, and (4) storage in non-executable, non-privileged directories with proper permission inheritance. CPE strings would identify: cpe:2.3:a:cisco:identity_services_engine and cpe:2.3:a:cisco:identity_services_engine_policy_services_portal_ic.

RemediationAI

Immediate actions: (1) Apply Cisco security patch immediately—consult Cisco security advisory for specific patched versions (likely 3.2.x.x cumulative patch, 3.3.x GA, or later). (2) If patching cannot be completed immediately, implement network access controls: restrict API access to internal/trusted networks only, disable external API exposure, implement WAF rules to block file upload requests to the vulnerable endpoint. (3) Implement monitoring: audit logs for unusual file uploads, monitor /bin, /sbin, /usr/bin, /usr/sbin, and /root for unauthorized writes; alert on process execution from these directories by non-standard services. (4) Isolate affected ISE instances from untrusted networks until patched. (5) Review ISE deployment architecture: if ISE is directly internet-facing, implement network segmentation immediately. Vendor patch sources: Cisco Security Advisories page (https://tools.cisco.com/security/center/), search for CVE-2025-20282 or the corresponding cisco-sa advisory. Workarounds: None fully effective—patching is required. Mitigation: Network-based restrictions and monitoring can reduce but not eliminate risk.

CVE-2025-20282 vulnerability details – vuln.today

Back

Identity Services Engine CVE-2025-20282

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code