CVE-2025-20337

Name of the Vulnerable Software and Affected Versions Cisco Identity Services Engine and Cisco ISE-PIC versions 3.3 and 3.4 Cisco Identity Services Engine versions prior to 3.3 Patch 7 Cisco ISE-PIC versions prior to 3.4 Patch 2

Description A critical vulnerability exists in a specific API of Cisco Identity Services Engine (ISE) and Cisco ISE-PIC. This flaw allows an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system with root privileges. The vulnerability is due to insufficient validation of user-supplied input, enabling exploitation through crafted API requests. The vulnerability is actively exploited. It is estimated that over 1,000 services are vulnerable. The exploitation of this vulnerability, along with CitrixBleed 2, was observed in a coordinated attack by a sophisticated threat actor. The attacker utilized custom malware and backdoors to gain administrative access to compromised systems. The malware used for ISE was designed to run in memory and registered as an HTTP handler.

API Endpoints: The vulnerability is triggered through a crafted API request. Vulnerable Parameters or Variables: User-supplied input is not properly validated.

Recommendations Cisco Identity Services Engine versions prior to 3.3 Patch 7: Upgrade to version 3.3 Patch 7 or later. Cisco ISE-PIC versions prior to 3.4 Patch 2: Upgrade to version 3.4 Patch 2 or later.