Summary: Cisco has released patches for critical vulnerabilities in the Identity Services Engine (ISE) that could allow remote attackers to execute arbitrary commands. Two high-severity flaws in the SNMP subsystem of Cisco IOS and other operating systems were also announced, potentially causing denial-of-service conditions. Users are encouraged to update their systems to mitigate these risks as no workarounds are available.
Affected: Cisco Identity Services Engine (ISE), Cisco IOS, IOS XE, IOS XR
Keypoints :
- Two critical vulnerabilities (CVE-2025-20124 and CVE-2025-20125) in ISE APIs allow remote attackers with read-only administrative privileges to execute commands.
- CVE-2025-20124 has a CVSS score of 9.9, allowing arbitrary command execution through insecure deserialization of Java byte streams.
- High-severity flaws in SNMP could lead to denial-of-service attacks due to improper error handling of SNMP requests.
- Patches are available in ISE versions 3.1P10, 3.2P7, and 3.3P4; updates for SNMP vulnerabilities are expected in February and March.
- Cisco is unaware of any exploits of these vulnerabilities in the wild.