One or more vulnerabilities affecting Cisco Identity Services Engine (ISE) are being exploited in the wild, Cisco has confirmed by updating the security advisory for the flaws.

About the vulnerabilities

The three vulnerabilities affect Cisco’s Identity Services Engine (ISE) – a network security policy and access control system for enterprises – and Cisco ISE Passive Identity Connector (ISE-PIC), which is a lightweight identity service that allows Cisco ISE to passively gather user identity information.

CVE-2025-20281 and CVE-2025-20337 stem from insufficient validation of user-supplied input; can be triggered by remote, unauthenticated attackers sending a maliciously crafted API request; and may allow them to obtain root privileges on an affected device.

CVE-2025-20282 is due to a lack of file validation checks that would prevent uploaded files from being placed in privileged directories on an affected system, and may allow unauthenticated, remote attackers to stash malicious files on vulnerable systems, so they can execute arbitrary code or obtain root privileges on them.

“The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit another vulnerability,” the company said.

Cisco did not specify which of the three vulnerabilities are being probed/exploited, nor share details about the attacks, which they say have been spotted in July 2025.

The company patched CVE-2025-20281 and CVE-2025-20282 in late June, then updated the code fix to patch CVE-2025-20337 a week ago.

Customers who use Cisco ISE or ISE-PIC versions 3.2 or earlier are not in danger, but those running versions 3.3 and 3.4 are urged to upgrade to v3.3 Patch 7 or v3.4 Patch 2 as soon as possible, as there are no workarounds available to mitigate the risk of exploitation.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!