Summary: Cisco has issued updates to address two critical vulnerabilities in its Identity Services Engine (ISE) that potentially allow remote attackers to execute arbitrary commands and elevate privileges. The flaws, identified as CVE-2025-20124 and CVE-2025-20125, affect various versions of Cisco ISE and are associated with high CVSS scores of 9.9 and 9.1, respectively. Users are urged to upgrade to the fixed releases as there are no workarounds available for these vulnerabilities.
Affected: Cisco Identity Services Engine (ISE)
Keypoints :
- CVE-2025-20124: Insecure Java deserialization vulnerability allowing remote command execution as root.
- CVE-2025-20125: Authorization bypass vulnerability enabling access to sensitive information and node configurations.
- Users advised to migrate to fixed releases as no workarounds are available to mitigate the vulnerabilities.
- Discovered by Deloitte security researchers Dan Marin and Sebastian Radulea.
- No known malicious exploitation reported so far.
Source: https://thehackernews.com/2025/02/cisco-patches-critical-ise.html