πŸ”΄ CVE-2025-20337

Critical unauthenticated remote code execution vulnerability in Cisco ISE API that allows attackers to execute arbitrary code as root. The vulnerability is actively exploited in the wild and requires no authentication or user interaction.

← Back to Overview
HIGH_RISK
Risk Level
10.0
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 β€” Exploit Public-Facing Application
ATT&CK Technique
HIGH
Deployment Risk
No
Ransomware

πŸ“‹ Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-07-16

Added to CISA KEV: 2025-07-28 12 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

πŸ” Web Intelligence (Kagi Β· 2025-09-06)

CVE-2025-20337 is a critical vulnerability affecting Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) [1][2]. Here's what is known about its exploitation:

  • Affected Applications/Services: Cisco ISE and ISE-PIC, specifically a particular API [1][3].
  • Internet-Facing: This vulnerability affects network access control, policy enforcement, and guest access, often involving internet-facing applications [1][2].
  • Active Exploitation: Cisco PSIRT confirmed attempted exploitation of CVE-2025-20337 in the wild in July 2025 [2].
  • Attack Vectors/Exploitation Methods: The vulnerability stems from insufficient validation of user-supplied input in a specific API [4]. An unauthenticated, remote attacker can exploit this by submitting a crafted API request to execute arbitrary code with root privileges on the underlying system [3][1].
  • Targeted Attacks: While not explicitly stated, active exploitation in the wild suggests the potential for targeted attacks [2].
  • CISA KEV Status: Due to active exploitation, CISA added CVE-2025-20337 to its Known Exploited Vulnerabilities Catalog [5][6].
  • Technical Details: The vulnerability allows unauthenticated remote code execution with root privileges due to insufficient input validation in a specific API, which can be triggered via crafted API requests [4][1]. There are no workarounds available to address this vulnerability [2].

Sources

  1. NVD - CVE-2025-20337

    NVD - CVE-2025-20337Information Technology Laboratory National Vulnerability Database…

  2. Cisco Identity Services Engine Unauthenticated Remote Code ...

    Exploitation and Public Announcements In July 2025, the Cisco PSIRT became aware of attempted exploitation of CVE-2025-20281 and CVE-2025-20337 ...

  3. tenable.com/cve/CVE-2025-20337

    A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying ...

  4. Cisco Warns of Identity Services Engine RCE Vulnerability Exploited in ...

    Cisco ISE RCE Vulnerability Exploited in Wild. The most severe vulnerabilities, CVE-2025-20281 and CVE-2025-20337, stem from insufficient validation of user-supplied input in specific APIs within ISE versions 3.3 and 3.4.

  5. CISA Warns of Cisco Identity Services Engine Vulnerability Exploited...

    The vulnerabilities, tracked as CVE-2025-20281 and CVE-2025-20337, allow attackers to achieve remote code execution with root privileges on affected systems. Key Takeaways 1. CISA added two Cisco ISE vulnerabilities (CVE-2025-20281, CVE-2025-20337) to its Known Exploited...

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

πŸ“„ Download JSON Data | πŸ“‘ RSS Feed