CVE-2025-20282

CVSS v3.1

Critical

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Cisco ISE and Cisco ISE-PIC versions 3.4

Description A vulnerability exists in an internal API of Cisco ISE and Cisco ISE-PIC due to missing file validation checks. This allows an unauthenticated, remote attacker to upload arbitrary files to an affected device and execute them on the underlying operating system as root. The attacker could exploit this by uploading a crafted file, potentially storing malicious files and executing arbitrary code or gaining root privileges. This issue is actively exploited in real-world attacks.

Recommendations Update Cisco ISE and Cisco ISE-PIC version 3.4 to a fixed version.

Exploit

Fix

RCE

Special Elements Injection

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-269

Related Identifiers

BDU:2025-07648

CVE-2025-20282

ZDI-25-608

Affected Products

Cisco Ise

Cisco Ise-Pic

CVE-2025-20282

Weakness Enumeration

Related Identifiers

Affected Products

References · 80