๐Ÿ”ด CVE-2025-20281

Critical unauthenticated remote code execution vulnerability in Cisco ISE API that allows attackers to execute arbitrary code as root via crafted API requests. Actively exploited in the wild with CVSS 10.0 severity.

โ† Back to Overview
HIGH_RISK
Risk Level
10.0
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 โ€” Exploit Public-Facing Application
ATT&CK Technique
HIGH
Deployment Risk
No
Ransomware

๐Ÿ“‹ Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-06-25

Added to CISA KEV: 2025-07-28 33 DAYS BETWEEN CVE AND KEV

๐ŸŽฏ Recommendations:

๐Ÿ” Web Intelligence (Kagi ยท 2025-09-06)

Here's what is known about the CVE-2025-20281 vulnerability:

Affected Applications/Services:
  • CVE-2025-20281 affects Cisco Identity Services Engine (ISE) and ISE-PIC (ISE Passive Identity Connector) [1][2].
Active Exploitation:
  • Cisco has confirmed that CVE-2025-20281 is actively being exploited in the wild [3][4].
Attack Vectors and Exploitation Methods:
  • The vulnerability is due to insufficient validation of user-supplied input [5][6].
  • An attacker can exploit this vulnerability by submitting a crafted API request [7][5].
  • Successful exploitation allows an attacker to execute arbitrary code as the root user [7][8] and gain root privileges on affected systems [7][8].
  • The attack vector is network-based with low attack complexity and requires no user interaction [9].
  • Specifically, the vulnerability allows attackers to send malicious serialized Java objects to the ```/deployment-rpc/enableStrongSwanTunnel``` endpoint [10].
Targeted Attacks:
  • While not explicitly stated, the active exploitation of a critical vulnerability like CVE-2025-20281 suggests its potential use in targeted attacks.
CISA Known Exploited Vulnerabilities Catalog:
  • CVE-2025-20281 has been added to the CISA Known Exploited Vulnerabilities Catalog [11][6].
Technical Details and Internet Exploitability:
  • CVE-2025-20281 is a critical severity vulnerability (CVSS 9.8) [8].
  • It is an unauthenticated remote code execution (RCE) vulnerability [1][8].
  • The vulnerability exists in a specific API of Cisco ISE and ISE-PIC [12][13].
  • It can be exploited without any valid credentials, making the attack vector easily accessible to remote adversaries [12][14].
  • Exploitation enables unauthenticated root access [15][16].

Sources

  1. Critical Vulnerability SAP ICM Could Lead to Full System Takeover

    CVE-2025-20281 & CVE-2025-20282: Maximum Severity Unauthenticated RCE Vulnerabilities in Cisco ISE and ISE-PIC.Critical Vulnerability in the SAP Internet Communication Manager Component Could Lead to Full System Takeover, Patch Available.

  2. CVE-2025-20281-CVE-2025-20282 | Arctic Wolf

    CVE-2025-20282: Caused by missing file validation checks, which allows a threat actor to upload files into privileged directories. A successful ...

  3. Exploit available for critical Cisco ISE bug exploited in attacks

    On July 22, 2025, Cisco marked both CVE-2025-20281 and CVE-2025-20337 as actively exploited in attacks, urging admins to apply the security updates as soon as possible.

  4. Cisco Identity Services Engine Unauthenticated Remote Code ...

    Multiple vulnerabilities in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an ...

  5. CVE-2025-20281 Detail - NVD

    This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A ...

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

๐Ÿ“„ Download JSON Data | ๐Ÿ“ก RSS Feed