Two CVSS 10 bugs in Cisco ISE (its security policy management platform) are under attack and give unauthenticated, remote attackers root. 

All exploitation takes is a “crafted API request”. The bug affects Cisco ISE and ISE-PIC releases 3.3 and 3.4, “regardless of device configuration.”

They follow Cisco’s admission last month that a CVSS 9.9 bug in the same product, Cisco ISE, impacts default configurations of the software when it is deployed on AWS, Azure, and Oracle Cloud due to static credentials.

See also: CVSS 9.9. Static credentials. In your cloud. Cisco WTF, again?

There appear to be some 1,800 Cisco ISE instances publicly available. (This scan result does not filter by potentially vulnerable release versions.)

The two exploited Cisco ISE vulnerabilities, allocated CVE-2025-20281 and CVE-2025-20337 were added to CISA’s KEV catalogue today. 

Both vulnerabilities are “are due to insufficient validation of user-supplied input. An attacker could exploit these vulnerabilities by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device,” said Cisco in a security advisory.

There are no workarounds and patching is imperative. 

The networking giant said:

  • If Cisco ISE is running Release 3.4 Patch 2, no further action is necessary.
  • If Cisco ISE is running Release 3.3 Patch 6, additional fixes are available in Release 3.3 Patch 7, and the device must be upgraded.
  • If Cisco ISE has either hot patch ise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gz or hot patch ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz installed, Cisco recommends upgrading to Release 3.3 Patch 7 or Release 3.4 Patch 2. The hot patches did not address CVE-2025-20337, it admitted. 

Cisco ISE is, as the company’s product sheet puts it, its “next-generation NAC [network access control] solution used to manage endpoint, user, and device access to network resources within a zero-trust architecture.”

Given the rate at which maximum severity CVEs for it are landing, it’s also an absolute security liability. Last month’s CVSS 9.9 bug saw it shockingly admit that “different Cisco ISE deployments shar[e] the same credentials.”

See also: Cisco ASA zero days exploited in wild: NCSC says “pull the power plug” to avoid persistence

The link has been copied!