Networking giant Cisco has just announced the availability of patches for multiple critical vulnerabilities in its Identity Services Engine (ISE). These vulnerabilities might permit unauthenticated, remote attackers to run arbitrary code on vulnerable AI platforms. All of these vulnerabilities assigned CVSS scores of 10.0 represent a critical security threat. They do affect practically anyone who uses Cisco ISE.
One of these vulnerabilities is CVE-2025-20281, which lives in an application programming interface (API). This vulnerability gives an attacker the ability to execute arbitrary code on the underlying operating system. They do this with root privileges and with no authentication. Another vulnerability CVE-2025-20337 resides within the same API and poses an equal risk.
Furthermore, CVE-2025-20282 targets an internal application programming interface (API) in Cisco ISE. This vulnerability gives an unauthenticated remote attacker the ability to upload arbitrary files to an affected device. Once you submit these files they are executable with root access on the OS they may be running on. This massively escalates the risk of destruction.
The vulnerabilities result from improper validation of user-supplied input and from missing file validation checks. These vulnerabilities facilitate arbitrary file upload exploitation. As a result, those files might be left in privileged directories on the affected system.
Cisco has released a security alert for these vulnerabilities. They released it as a public advisory on their security center to let users know just how dangerous these flaws really are.
In July 2025, the Cisco PSIRT [Product Security Incident Response Team] became aware of attempted exploitation of some of these vulnerabilities in the wild, Cisco stated in their alert.
On their blog, the company is now recommending all system users to audit their systems and implement appropriate security measures to protect against these vulnerabilities. If your organization uses Cisco ISE, pay attention! Until Cisco provides additional guidance, monitor your systems closely for any indications of exploitation.