The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent advisory. It concerns two critical injection vulnerabilities, CVE-2025-20281 and CVE-2025-20337, within Cisco's Identity Services Engine (ISE).
CISA has consequently added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. This designation mandates that organizations operating Cisco ISE and ISE-PIC products must implement necessary mitigations by August 18, 2025.
Both CVEs are classified as injection vulnerabilities. They specifically impact certain Application Programming Interfaces (APIs) within Cisco ISE and Cisco ISE-PIC systems. Their root cause lies in insufficient validation of user-supplied input. This is a fundamental security weakness, cataloged as Common Weakness Enumeration CWE-74. It addresses improper neutralization of special elements in output processed by downstream components.
Malicious actors can exploit these weaknesses by submitting meticulously crafted API requests. This circumvents standard security controls. Such injection attacks pose a substantial threat to network security infrastructure.
Cisco ISE functions as a centralized policy engine governing network access globally. These systems are widely deployed in enterprise environments to manage user authentication, authorization, and accounting (AAA) services.
Successful exploitation grants attackers remote code execution (RCE) capabilities on affected devices. This can lead to complete administrative control through root privilege escalation. Threat actors can manipulate network policies and extract sensitive data.
They can also establish persistent backdoors within compromised environments. The critical nature of these vulnerabilities stems from their potential to grant unauthorized remote access to essential network infrastructure components without a password.
Attackers could leverage these flaws to bypass network segmentation controls. They can gain entry to restricted segments, deploy ransomware, or establish command-and-control channels within compromised networks.
Both CVE-2025-20281 and CVE-2025-20337 are collectively described as Cisco Identity Services Engine Injection Vulnerabilities. They have been assigned a critical CVSS 3.1 Score of 10.0.