- Cisco patches three vulnerabilities in ISE and CCP tools
- One of the three has a 9.9/10 severity score
- Some ISE deployments are not vulnerable
Cisco has patched three vulnerabilities in its Identity Services Engine (ISE) and Customer Collaboration Platform (CCP) tools, including a critical-severity issue which has a public proof-of-concept (PoC) exploit.
Recently, three vulnerabilities were discovered, now tracked as CVE-2025-20286, CVE-2025-20130, and CVE-2025-20129. The former is described as a static credential reuse vulnerability, found in Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) cloud deployments of ISE.
It has a severity score of 9.9/10 (critical), and stems from improper generation of login credentials, when ISE is deployed on cloud platforms. As a result, different Cisco ISE deployments can share the same credentials, as long as the software release and cloud platform are the same.
Proof of Concept available
As a result, threat actors could access ISE instances deployed in other cloud environments through unsecured ports, gaining access to sensitive data, being able to execute limited admin operations, modify system configurations, and even disrupt different services.
The silver lining here is that the flaw is exploitable only if the Primary Administration node is deployed in the cloud. If it’s on-prem, then the instance is not vulnerable.
“The Cisco PSIRT is aware that proof-of-concept exploit code is available for the vulnerability that is described in this advisory,” Cisco said.
ISE is a security policy management platform that provides secure network access control and visibility for devices and users, and CCP is a collaboration platform, allowing businesses to engage with their customers.
Here is a list of ISE deployments not vulnerable to attacks, according to Cisco’s advisory:
“- All on-premises deployments with any form factors where artifacts are installed from Cisco Software Download Center (ISO or OVA). This includes appliances and virtual machines with different form factors.
– ISE on Azure VMware Solution (AVS)
– ISE on Google Cloud VMware Engine
– ISE on VMware cloud in AWS
– ISE hybrid deployments with all ISE Administrator personas (Primary and Secondary Administration) on-premises with other personas in the cloud.”
Via BleepingComputer
Leave a comment