Table of Contents
The insecure deserialization and authorization bypass flaws could enable attackers to escalate privileges and run arbitrary commands.
Cisco is warning enterprise admins of two critical flaws within its identity and access management (IAM) solution, Identity Services Engine (ISE), that could allow attackers to obtain unauthorized privileges and run arbitrary commands on affected systems.
Tracked as CVE-2025-20124 and CVE-2025-20125, the flaws have received a critical severity rating of CVSS 9.9 and 9.1 out of 10, respectively.
“Multiple vulnerabilities in Cisco ISE could allow an authenticated, remote attacker to execute arbitrary commands and elevate privileges on an affected device,” Cisco said in an advisory.
Critical severity ratings have been assigned to the flaws despite the need for the attacker to first obtain admin credentials before they could attempt exploitation. “To exploit these vulnerabilities, the attacker must have valid read-only administrative credentials,” Cisco said. “Any administrative user can be used to exploit these vulnerabilities.”
Affected APIs suffer deserialization and authorization flaws
According to the advisory, an API of Cisco ISE is prone to insecure deserialization of user-supplied Java byte streams. A threat actor could exploit this by sending crafted serialized Java object to the affected API.
The vulnerability, CVE-2025-20124, “could allow an authenticated remote attacker to execute arbitrary commands as the root user on an affected device.” Successful exploitation of the vulnerability, which requires attackers to have valid read-only credentials, will result in arbitrary code execution and elevated privileges.
An API of Cisco ISE, which Cisco didn’t confirm to be the same as the one affected by CVE-2025-20124, could allow attackers with the same admin credentials to obtain sensitive information, change node configurations, and restart the node.
“This vulnerability (CVE-2025-20125) is due to a lack of authorization in a specific API and improper validation of user-supplied data,” Cisco added. “An attacker could exploit this vulnerability by sending a crafted HTTP request to a specific API on the device.”
Roy Akerman, VP of Identity Security Strategy at Silverfort finds this flaw particularly dangerous for its ability to cause identity-based attacks.
In a comment to CSO, he said, “The vulnerability allows an attacker to bypass authentication and gain privileged access, enabling lateral movement across the network, which is dangerous. The uniqueness of this flaw lies in its potential to bypass identity-based security controls, making traditional defenses like passwords and basic authentication insufficient.”
A fix is available, irrespective of service contracts
The vulnerabilities impact Cisco ISE and Cisco Passive Identity Connector (ISE-PIC) appliances, regardless of device configuration, the company added. All versions before v3.4, which is not impacted, are supplied a fix.
Fixes are available as per affected versions, including 3.1P10 for 3.1, 3.2p7 for 3.2, and 3.3p4 for 3.3. For users running version 3.0 and earlier, Cisco recommended migrating to a fixed release. As the flaws affect all configurations, and no workaround is available for protection, fixing the affected systems is the only way out of exploitation.
Cisco said in the advisory that customers with service contracts that entitle regular updates will get the fixes as usual updates, whereas those without one will obtain upgrades by contacting Cisco TAC. There have been no publicly reported cases of these bugs being exploited in the wild.
