- Cisco releases fix for two flaws in Identity Services Engine
- The flaws allowed for remote code execution, sensitive data exfiltration, and more
- The first clean version of Identity Services Engine is 3.4
Cisco has released patches for two critical-severity vulnerabilities plaguing its Identity Services Engine (ISE) solution. Since the flaws can be abused to run arbitrary commands and steal sensitive information, Cisco urged its users to apply the fixes as soon as possible.
In a security advisory, the networking giant first said it patched a “deserialization of user-supplied Java byte streams” vulnerability tracked as CVE-2025-20124, and given a severity score of 9.9/10 (critical). By sending a custom serialized Java object to an affected Cisco ISE API, an attacker could execute arbitrary commands and elevate privileges.
The second flaw is an authentication bypass bug, occurring since an API did not perform authorization checks, or properly validated user-supplied data. A threat actor could send a malicious HTTP request to the API on the device to trigger it. This bug is tracked as CVE-2025-20125, and was given a severity score of 9.1/10 (critical).
Authentication required
While these flaws sound dangerous, they’re not that easy to exploit. Cisco said that threat actors would still need to be authenticated, and with a read-only admin account, at that.
Indeed, that means pulling the attack off is a lot more difficult, but still not impossible. As The Register properly noted, cybercriminals can phish for login credentials, or simply buy them off the black market.
“It’s worth noting that NCC Group blamed last year’s surge in ransomware attacks partly on compromised credentials, so it’s not like these are too difficult to obtain. Rogue insiders can also abuse these holes, of course,” the publication said.
In any case, Cisco has already come out with fixes, so patching them should be done as soon as possible. Versions 3.0 – 3.3 were said to be vulnerable, so users should ensure they bring their software to version 3.4, at least. The good news is that there is still no evidence of abuse in the wild.
Via The Register
Leave a comment