Cisco has released security patches to address critical security flaws affecting the Identity Services Engine (ISE).
Security flaws tracked as an AS CVE-2025-20286carry a CVSS score of 9.9 out of 10.0. It is said to be a static credential vulnerability.
“Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) cloud deployments allow ruthless remote attackers to access sensitive data, perform restricted management operations, modify system configurations, and denial services within the system.”
The networking equipment manufacturer, who praised GMO Cybersecurity’s Kentaro Kawane for reporting the flaws, noted that they are aware of the existence of proof of concept (POC) exploits. There is no evidence that it was misused in the wild.
Cisco said the issue stems from the fact that when Cisco ISE is deployed on a cloud platform, the credentials are generated improperly, and different deployments share the same credentials as long as the software release and cloud platform are the same.
Put another way, static credentials are specific to each release and platform, but not valid across platforms. As the company emphasizes, all instances of Cisco ISE Release 3.1 on AWS have the same static credentials.
However, the credentials valid for accessing a Release 3.1 deployment are not valid for accessing a Release 3.2 deployment on the same platform. Additionally, AWS release 3.2 does not have the same credentials as Azure release 3.2.
The successful exploitation of the vulnerability allows an attacker to extract user credentials from a Cisco ISE cloud deployment and use it to access Cisco ISE deployed to other cloud environments through a specific port.
This ultimately allows for unauthorized access to sensitive data, perform limited administrative operations, modify system configuration, or disruption of services. That said, Cisco ISE is only affected if the primary management node is deployed in the cloud. Primary management nodes that are on-premises are not affected.
The following versions are affected –
- AWS -Cisco ISE 3.1, 3.2, 3.3, and 3.4
- Azure – Cisco ISE 3.2, 3.3, and 3.4
- OCI – Cisco ISE 3.2, 3.3, and 3.4
Although there is no workaround to address CVE-2025-20286, Cisco recommends that users either restrict traffic to certified administrators or run the “Application Reset Configuration ISE” command to reset the user password to the new value. However, it has been pointed out that running the command will reset Cisco ISE to its factory configuration.
