🧠 TL;DR
Two critical vulnerabilities (CVE-2025-20281 and CVE-2025-20282) have been discovered in Cisco Identity Services Engine (ISE) and ISE-PIC. These flaws allow unauthenticated remote code execution on affected systems. A working proof-of-concept (PoC) exploit is available publicly, and over 1,900 exposed systems have been identified via ZoomEye.
📋 Vulnerability Details
CVE-2025-20281
- Type: Unauthenticated RCE
- Component: Cisco ISE
- CVSS Score: 10.0 (Critical)
- Description: Allows unauthenticated attackers to execute arbitrary code due to improper input validation.
CVE-2025-20282
- Type: Unauthenticated RCE
- Component: Cisco ISE-PIC
- CVSS Score: 10.0 (Critical)
- Description: A related vulnerability enabling remote code execution through a similar attack surface as CVE-2025-20281.
🧪 Proof of Concept (PoC)
A working PoC has been released demonstrating the exploitation of both vulnerabilities:
🔍 Threat Hunting
ZoomEye Dork
iniCopyEditapp="Cisco ISE"
Live Search
Exposed Systems: 1,937 at the time of writing.
Follow @zoomeye_team's official Twitter/X account and send the message “Dark Web Informer” via DM to receive an extra 15-day membership.
📄 Official Advisories
🛡️ Recommended Action
- Immediately restrict external access to Cisco ISE and ISE-PIC interfaces.
- Apply patches or mitigations from Cisco (if available).
- Monitor for unusual activity and potential exploitation attempts.
- Review firewall and access control policies for exposed management interfaces.
🎯 Affected Environments
- Cisco Identity Services Engine (ISE)
- Cisco ISE Passive Identity Connector (ISE-PIC)
- Primarily enterprise networks using Cisco's NAC and identity services.
🧰 TTPs (MITRE Mapping)
- T1203: Exploitation for Client Execution
- T1133: External Remote Services
- T1190: Exploit Public-Facing Application
