Critical flaw in Cisco ISE impacts cloud deployments on AWS, Microsoft Azure, and Oracle Cloud Infrastructure

Pierluigi Paganini June 05, 2025

Cisco fixed a critical flaw in the Identity Services Engine (ISE) that could allow unauthenticated attackers to conduct malicious actions.

A vulnerability tracked as CVE-2025-20286 (CVSS score 9.9) in cloud deployments of Cisco ISE on AWS, Microsoft Azure, and Oracle Cloud Infrastructure allows unauthenticated remote attackers to access sensitive data, perform limited administrative actions, modify configurations, or disrupt services.

The vulnerability in Cisco ISE cloud deployments occurs when the system generates identical credentials across different instances using the same software version and cloud platform (AWS, Azure, or OCI). This means multiple deployments can end up sharing the same login details. An attacker could exploit this by extracting credentials from one Cisco ISE instance and using them to access others, potentially gaining access to sensitive data, changing settings, or disrupting services.

“This vulnerability exists because credentials are improperly generated when Cisco ISE is being deployed on cloud platforms, resulting in different Cisco ISE deployments sharing the same credentials. These credentials are shared across multiple Cisco ISE deployments as long as the software release and cloud platform are the same. An attacker could exploit this vulnerability by extracting the user credentials from Cisco ISE that is deployed in the cloud and then using them to access Cisco ISE that is deployed in other cloud environments through unsecured ports.” reads the advisory. “A successful exploit could allow the attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems.”

Kentaro Kawane of GMO Cybersecurity discovered the vulnerability. Cisco PSIRT has confirmed that proof-of-concept code exists for the vulnerability but says there’s no evidence that the flaw has been actively exploited in attacks in the wild.

The flaw impacts the following versions:

Cisco Identity Services Engine Release	First Fixed Release
3.1	Migrate to a fixed release.
3.2	Migrate to a fixed release.
3.3	3.3P8 (November 2025)
3.4	3.4P3 (October 2025)
3.5	Planned release (Aug 2025)

There’s no direct workaround for the Cisco Identity Services Engine cloud vulnerability, however the IT giant provided some important mitigations administrators can apply. First, limit access by allowing only trusted source IP addresses, either through cloud security groups or directly within the Cisco Identity Services Engine interface.

For new installations, Cisco recommends running the application reset-config ise command on the cloud-based primary node to generate fresh credentials. Note: this will reset the system to factory settings, and restoring from a backup will bring back the original (potentially vulnerable) credentials.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Cisco)

Pierluigi Paganini July 20, 2025

Singapore warns China-linked group UNC3886 targets its critical infrastructure

Pierluigi Paganini July 03, 2025