Pierluigi Paganini February 06, 2025

Cisco addressed critical flaws in Identity Services Engine, preventing privilege escalation and system configuration changes.

Cisco addressed multiple vulnerabilities, including two critical remote code execution flaws, tracked as CVE-2025-20124 (CVSS score of 9.9) and CVE-2025-20125 (CVSS score of 9.1), in Identity Services Engine (ISE).

A remote attacker authenticated with read-only administrative privileges could exploit the flaws to execute arbitrary commands on flawed devices.

The vulnerability CVE-2025-20124 is an Insecure Java Deserialization issue in the API of Cisco ISE that could allow an authenticated, remote attacker to execute arbitrary commands as the root user on an affected device.

“This vulnerability is due to insecure deserialization of user-supplied Java byte streams by the affected software.” reads the advisory. “An attacker could exploit this vulnerability by sending a crafted serialized Java object to an affected API. A successful exploit could allow the attacker to execute arbitrary commands on the device and elevate privileges.”

The vulnerability CVE-2025-20125 is an authorization bypass issue that could allow an authenticated, remote attacker with valid read-only credentials to obtain sensitive information, change node configurations, and restart the node.

“This vulnerability is due to a lack of authorization in a specific API and improper validation of user-supplied data. An attacker could exploit this vulnerability by sending a crafted HTTP request to a specific API on the device. A successful exploit could allow the attacker to attacker to obtain information, modify system configuration, and reload the device.” reads the advisory.

“To successfully exploit this vulnerability, the attacker must have valid read-only administrative credentials. In a single-node deployment, new devices will not be able to authenticate during the reload time.”

The IT giant warns that there are no workarounds that solve these flaws.

The company recommends customers to upgrade to an appropriate fixed software release:

Company PSIRT it is not aware of attackers in the wild exploiting one of these vulnerabilities.

The vulnerability CVE-2025-20124 was reported by Dan Marin and Sebastian Radulea of Deloitte, while CVE-2025-20125 was reported by Sebastian Radulea of Deloitte.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, newsletter)