External risk intelligence

Cisco Identity Services Engine API Vulnerability Allows Code Execution

CVE advisoryKnown Exploit

CVE-2025-20337

A vulnerability in Cisco Identity Services Engine and ISE-PIC APIs could allow an unauthenticated attacker to execute arbitrary code with root privileges on affected systems. This presents a significant risk to organizations by potentially allowing attackers full control over compromised devices. Organizations should i

4Halo Surface Signal

Cisco Identity Services Engine

3.3.03.4.0

External exposure likelihood

Halo Surface Signal score for CVE-2025-20337

Cisco Identity Services Engine (ISE) is an enterprise network administration and policy management platform that often exposes API and management interfaces to facilitate network infrastructure orchestration, identity management, and guest access services, making it a commonly deployed and reachable service within network environments.

Horizon Alert

Summary of the vulnerability and why it matters

Cisco Identity Services Engine and Cisco ISE-PIC have a vulnerability related to how they process API requests. This flaw could permit an unauthorized, remote attacker to run unauthorized code on the affected systems with full administrative privileges. This is possible because the system does not properly validate information provided by users in API requests.

Cisco Identity Services Engine and ISE-PIC
Insufficient input validation in API
Unauthorized code execution with root privileges

Attack Path

How an attacker could exploit the issue

An unauthenticated, remote attacker could potentially execute arbitrary code on affected Cisco systems. This vulnerability arises from insufficient validation of user-supplied input within a specific API. Attackers can exploit this by sending a specially crafted API request. Successful exploitation could grant the attacker root privileges on the compromised device.

Exposure via network API.
Attacker sends crafted API request.
Attacker gains root control.

Live Threat

Current exploitation, exposure, and threat context

A critical vulnerability exists in Cisco Identity Services Engine and Cisco ISE-PIC that could allow an unauthenticated, remote attacker to execute arbitrary code with root privileges. This is achieved by submitting a crafted API request, bypassing the need for any credentials. The risk to organizations is significant, as a successful exploit could grant attackers complete control over affected systems.

Attackers require low skill.
No access or conditions needed.
High business risk; treat as urgent.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

An organization's information technology team should take immediate action to address a critical vulnerability in Cisco Identity Services Engine and Cisco Identity Services Engine-PIC. This vulnerability could permit an unauthenticated, remote attacker to gain root-level control of the underlying operating system by submitting a specially crafted API request. Exploiting this could lead to unauthorized access and execution of arbitrary code.

Identify all Cisco ISE and ISE-PIC assets.
Reduce exposure by isolating affected systems.
Apply vendor fixes and validate their implementation.
Monitor for related suspicious activity.

Frequently asked questions

What is Cisco Identity Services Engine (ISE)?

Cisco Identity Services Engine (ISE) is a network administration and policy management platform. It helps manage network infrastructure, control user access, and enforce security policies across an organization's network.

How does CVE-2025-20337 allow an attacker to execute code?

CVE-2025-20337 is a weakness classified as CWE-74, which involves improper neutralization of special elements in output or commands. In this case, Cisco ISE and ISE-PIC do not sufficiently validate user input in a specific API. An attacker can send a specially crafted API request to trigger this flaw and execute arbitrary code with root privileges.

What is needed for an attacker to exploit this CVE?

An attacker does not need any valid credentials to exploit this vulnerability. They only need to be able to send a crafted API request to an affected system. The vulnerability is not triggered by normal API usage.

Why should I care about this vulnerability based on Halo Surface Signal?

This vulnerability is classified as external, meaning it can be reached from the internet. Cisco Identity Services Engine often exposes management interfaces for network orchestration and access services, making it a potentially accessible target for attackers outside the internal network.

What should I do if I run Cisco ISE or ISE-PIC?

If you are running Cisco Identity Services Engine or Cisco ISE-PIC, you should first identify all affected assets. Consider isolating these systems to reduce their exposure and then apply any available fixes or patches provided by Cisco to address the vulnerability.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.