Cisco has issued patches for two critical security vulnerabilities affecting its Identity Services Engine (ISE) platform. The flaws, identified as CVE-2025-20124 and CVE-2025-20125, could allow authenticated remote attackers with read-only administrator privileges to execute arbitrary commands as root and bypass authorisation on affected systems. The flaws were reported by Deloitte security researchers Dan Marin and Sebastian Radulea.
Cisco ISE, a security policy management platform used for identity and access management, is impacted by these flaws, along with the Cisco ISE Passive Identity Connector (ISE-PIC). The vulnerabilities exist regardless of device configuration, making all deployments potentially susceptible.
CVE-2025-20124 originates from insecure Java deserialisation within an API. An attacker could exploit this by sending a specially crafted serialised Java object, enabling remote execution of arbitrary commands with root-level privileges. To exploit this, the attacker would need valid read-only administrative credentials.
CVE-2025-20125, meanwhile, is caused by insufficient authorisation checks in a specific API and improper validation of user-supplied data. Exploiting this flaw using maliciously crafted HTTP requests could allow attackers to access sensitive information, modify system configurations, or reload the affected device.
Cisco’s response and patch availability
Cisco has released software updates addressing both vulnerabilities. There are no available workarounds, and administrators are advised to upgrade affected appliances to a fixed version. The company has confirmed that the exploitation of one flaw does not depend on the other, and different software versions may be affected by only one of the two issues.
Cisco’s Product Security Incident Response Team (PSIRT) has stated that there is no evidence of public exploit code or active attacks leveraging these vulnerabilities.
In a separate advisory, Cisco disclosed multiple high-severity vulnerabilities affecting its network operating systems, including IOS, IOS XE, IOS XR, and NX-OS. These flaws, tracked as CVE-2025-20169, CVE-2025-20170, CVE-2025-20171, and CVE-2024-20397, could enable attackers to cause denial-of-service (DoS) conditions or bypass NX-OS image signature verification.
Cisco has not yet released patches for DoS vulnerabilities in IOS, IOS XE, and IOS XR software when the SNMP feature is enabled. The company has provided mitigation recommendations, including disabling certain object identifiers (OIDs), though this could impact network performance. Patches for these flaws are expected between February and March.
This is not the first time Cisco’s ISE platform has been affected by security flaws. In September 2024, the company patched another vulnerability that allowed attackers to escalate privileges to root on vulnerable appliances. Two months later, it addressed a maximum severity vulnerability that enabled attackers to execute commands with root privileges on Ultra-Reliable Wireless Backhaul (URWB) access points. Cisco advises administrators to apply the latest security updates as soon as possible to mitigate risks associated with these vulnerabilities. Customers with service contracts are encouraged to obtain security fixes through their usual update channels. Only licensed software versions and feature sets will receive official support.
Read more: Cisco forecasts Q2 FY25 revenue and profit rise driven by AI demand
