CyberSecurity news
FlagThis
TIGR Threat@Security Risk Advisors
//
Cisco has issued a critical security advisory regarding a vulnerability, CVE-2025-20286, in its Identity Services Engine (ISE) when deployed on Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI). This static credential flaw enables unauthenticated remote attackers to potentially access sensitive data, perform limited administrative actions, modify system configurations, or disrupt services. The vulnerability stems from improperly generated credentials during cloud deployments, resulting in multiple ISE deployments sharing the same static credentials, provided they are on the same software release and cloud platform.
Exploitation of CVE-2025-20286 could allow attackers to extract user credentials from a compromised Cisco ISE cloud deployment and utilize them to access other ISE instances in different cloud environments via unsecured ports. This could lead to unauthorized access to sensitive data, execution of limited administrative operations, changes to system configurations, or service disruptions. Cisco's Product Security Incident Response Team (PSIRT) has confirmed the existence of a proof-of-concept (PoC) exploit for this vulnerability, though there is no evidence of active exploitation in the wild.
The vulnerability impacts specific versions of Cisco ISE, affecting versions 3.1, 3.2, 3.3, and 3.4 on AWS, and versions 3.2, 3.3, and 3.4 on Azure and OCI. Cisco emphasizes that this vulnerability only affects deployments where the Primary Administration node is hosted in the cloud; on-premises deployments are not affected. While there are no official workarounds, Cisco recommends restricting traffic to authorized administrators or using the "application reset-config ise" command to reset user passwords. The company has released security patches to address the flaw and urges users to update their systems promptly.
References :
Exploitation of CVE-2025-20286 could allow attackers to extract user credentials from a compromised Cisco ISE cloud deployment and utilize them to access other ISE instances in different cloud environments via unsecured ports. This could lead to unauthorized access to sensitive data, execution of limited administrative operations, changes to system configurations, or service disruptions. Cisco's Product Security Incident Response Team (PSIRT) has confirmed the existence of a proof-of-concept (PoC) exploit for this vulnerability, though there is no evidence of active exploitation in the wild.
The vulnerability impacts specific versions of Cisco ISE, affecting versions 3.1, 3.2, 3.3, and 3.4 on AWS, and versions 3.2, 3.3, and 3.4 on Azure and OCI. Cisco emphasizes that this vulnerability only affects deployments where the Primary Administration node is hosted in the cloud; on-premises deployments are not affected. While there are no official workarounds, Cisco recommends restricting traffic to authorized administrators or using the "application reset-config ise" command to reset user passwords. The company has released security patches to address the flaw and urges users to update their systems promptly.
Share:
References :
- Cyber Security News: Cisco Alerts on ISE Vulnerability Exposing Sensitive Data with Available PoC Exploit
- Security Affairs: Cisco fixed a critical flaw in the Identity Services Engine (ISE) that could allow unauthenticated attackers to conduct malicious actions.
- The Hacker News: Cisco has released security patches to address a critical security flaw impacting the Identity Services Engine (ISE) that, if successfully exploited, could allow unauthenticated actors to carry out malicious actions on susceptible systems.
- Security Risk Advisors: Static credential flaw (CVE-2025-20286) in #Cisco ISE cloud deployments enables unauthorized access across AWS, Azure, and OCI.
- SOC Prime Blog: A critical vulnerability in Cisco’s Identity Services Engine (ISE) enables unauthenticated remote attackers to retrieve sensitive information and perform administrative actions across various cloud environments upon exploitation.
- Arctic Wolf: CVE-2025-20286: PoC Available for Critical Cisco Identity Services Engine Static Credential Vulnerability
- arcticwolf.com: On 4 June 2025, Cisco released fixes for multiple vulnerabilities, several of which were noted to have publicly available proof-of-concept (PoC) exploit code. The most severe issue, CVE-2025-20286, affects cloud deployments of Cisco Identity Services Engine (ISE) on Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI).
- sec.cloudapps.cisco.com: Static credential flaw (CVE-2025-20286) in #Cisco ISE cloud deployments enables unauthorized access across AWS, Azure, and OCI.
- socprime.com: A critical vulnerability in Cisco’s Identity Services Engine (ISE) enables unauthenticated remote attackers to retrieve sensitive information and perform administrative actions across various cloud environments upon exploitation.
- www.techradar.com: Cisco warns over worrying security flaws in ISE affecting AWS, Azure cloud deployments - here's what you need to know
- arcticwolf.com: CVE-2025-20286: PoC Available for Critical Cisco Identity Services Engine Static Credential Vulnerability
- www.itpro.com: Cisco patches critical flaw affecting Identity Services Engine
- Arctic Wolf: CVE-2025-20286: PoC Available for Critical Cisco Identity Services Engine Static Credential Vulnerability
- Blog: How to find Cisco Identity Services Engine (ISE) installations
- www.scworld.com: Cisco patches Identity Services Engine flaw affecting AWS, Azure, OCI
Classification:
- HashTags: #CiscoISE #CloudSecurity #Vulnerability
- Company: Cisco
- Target: Cloud deployments on AWS, Azure, OCI
- Product: ISE
- Feature: Authentication Bypass
- Malware: CVE-2025-20286
- Type: Vulnerability
- Severity: Critical