Article Details
Scrape Timestamp (UTC): 2025-07-22 13:15:06.131
Source: https://thehackernews.com/2025/07/cisco-confirms-active-exploits.html
Original Article Text
Click to Toggle View
Cisco Confirms Active Exploits Targeting ISE Flaws Enabling Unauthenticated Root Access. Cisco on Monday updated its advisory of a set of recently disclosed security flaws in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) to acknowledge active exploitation. "In July 2025, the Cisco PSIRT [Product Security Incident Response Team], became aware of attempted exploitation of some of these vulnerabilities in the wild," the company said in an alert. The network equipment vendor did not disclose which vulnerabilities have been weaponized in real-world attacks, the identity of the threat actors exploiting them, or the scale of the activity. Cisco ISE plays a central role in network access control, managing which users and devices are allowed onto corporate networks and under what conditions. A compromise at this layer could give attackers unrestricted access to internal systems, bypassing authentication controls and logging mechanisms—turning a policy engine into an open door. The vulnerabilities outlined in the alert are all critical-rated bugs (CVSS scores: 10.0) that could allow an unauthenticated, remote attacker to issue commands on the underlying operating system as the root user - While the first two flaws are the result of insufficient validation of user-supplied input, the latter stems from a lack of file validation checks that would prevent uploaded files from being placed in privileged directories on an affected system. As a result, an attacker could leverage these shortcomings by submitting a crafted API request (for CVE-2025-20281 and CVE-2025-20337) or uploading a crafted file to the affected device (for CVE-2025-20282). In light of active exploitation, it's essential that customers upgrade to a fixed software release as soon as possible to remediate these vulnerabilities. These flaws are exploitable remotely without authentication, placing unpatched systems at high risk of pre-auth remote code execution—a top-tier concern for defenders managing critical infrastructure or compliance-driven environments. Security teams should also review system logs for suspicious API activity or unauthorized file uploads, especially in externally exposed deployments.
Daily Brief Summary
Cisco has updated its advisory on actively exploited vulnerabilities in its Identity Services Engine (ISE) and ISE Passive Identity Connector.
In July 2025, exploits targeting critical-rated ISE flaws were detected, which allow root-level command execution by unauthenticated users.
The vulnerabilities enable attackers to bypass network access controls and gain unrestricted access to internal systems.
Two of the flaws stem from insufficient input validation, and one from inadequate file validation checks, allowing the placement of malicious files in privileged directories.
Attackers exploit these vulnerabilities via crafted API requests or malicious file uploads to affected devices.
Cisco has not disclosed specifics regarding the identities of the attackers or the extent of the exploitation.
Immediate software updates and vigilant system log reviews for suspicious activities are recommended to mitigate the risks.
The high-risk nature of these flaws poses significant threats to critical infrastructure and compliance-sensitive environments.