Alert Essentials:
Some Cisco ISE versions have been upgraded to prevent system compromise. If an attacker has a valid read-only administrator account, they can change node configurations and execute code as the root user with these two CVEs. There are no known exploits in the wild currently.
Prioritize this update, as Cisco products are often targets for bad actors.
Detailed Threat Description:
Two critical security flaws in the Identity Services Engine (ISE) could allow remote attackers to execute arbitrary commands and elevate privileges on susceptible devices.
CVE-2025-20124 is an insecure deserialization vulnerability in an API of Cisco ISE. The weakness could allow an authenticated, remote attacker to execute arbitrary commands as the root user.
The lack of authentication and improper validation in CVE-2025-20125 could allow an authenticated, remote attacker to obtain sensitive information, change node configurations, and restart the node.
Successful exploitation of either vulnerability could be detrimental to organizations. However, it is important to note that the attacker must have valid read-only administrative credentials to execute either flaw.
These vulnerabilities are not dependent on one another. And the Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities to date. Yet Cisco products are always attractive to hackers, so upgrading to a patched version is recommended.
Impacts on Healthcare Organizations:
These risks could allow a hacker to execute arbitrary commands on the device with system privileges. The type of code that could be executed is limited by the attacker’s imagination but will likely result in system compromise.
However, bad actors could cause service disruption, export of patient information, organization data loss, and reputational damages that may take many years to overcome. It is strongly advised that healthcare organizations upgrade affected appliances and continue efforts to develop a cyber-resilient organization.
Affected Products / Versions:
| Cisco ISE Impacted Versions | First Fixed Release |
|---|---|
| 3.0 | Migrate to a fixed release |
| 3.1 | 3.1P10 |
| 3.2 | 3.2P7 |
| 3.3 | 3.3P4 |
| 3.4 | Not vulnerable |
| *These vulnerabilities affect Cisco ISE and Cisco ISE Passive Identity Connector (ISE-PIC), regardless of device configuration. | |
CVEs
CVE-2025-20124 – CWE-502 – (CVSS 9.9)
CVE-2025-20125 – CWE-285 – (CVSS 9.1)
Recommendations:
Engineering Recommendations:
- Update vulnerable versions immediately, as there are no workarounds available
- Re-join Active Directory and regenerate the Root CA chain after upgrading
- Configure ISE for Federal Information Processing Standards (FIPS) compliance to ensure the use of strong cryptographic protocols
- Place Cisco ISE behind a firewall, preferably in a secure data center, and configure specific ports for access
- Implement network segmentation and access controls to limit potential attack vectors
- Use separate certificates for disaster recovery and HTTPS connections
- Enable multi-factor authentication (MFA); implement MFA for all users accessing critical systems and applications
- Monitor systems for suspicious activity related to Java deserialization or unauthorized command execution
- Limit the number of users with permissions to the management interface
- Enable comprehensive logging and monitoring for the Cisco ISE system and integrate it with your Security Information and Event Management (SIEM) system
Leadership/Program Recommendations:
- Revise cybersecurity policies to align with the latest security standards and best practices, including those outlined in the Health Industry Cybersecurity Practices (HICP) 3
- Invest in staff training; provide cybersecurity awareness training to all employees, emphasizing the importance of identifying and reporting potential threats
- Establish an incident response plan; develop and regularly test a comprehensive plan to address potential security breaches
- Consider adopting a zero-trust security model; implement Cisco ISE as part of a broader zero-trust strategy to enhance the overall security posture
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- Cisco Advisory: Cisco Identity Services Engine Insecure Java Deserialization and Authorization Bypass Vulnerabilities
- Cisco Support and Downloads: Support – Cisco Support and Downloads – Documentation, Tools, Cases – Cisco
- Healthcare Sector Cybersecurity: Healthcare Sector Cybersecurity
