Cisco warns of a Critical RCE vulnerability in Cisco ISE that is actively being exploited

Cisco warns of a Critical RCE vulnerability in Cisco ISE that is actively being exploited

Category: <h2 class="cBlue inline m-r-10">Arti<span class="cOrange">cles</span></h2>

Cisco warns of a Critical RCE vulnerability in Cisco ISE that is actively being exploited

Information

CISCO is a large company that both manufactures and distributes network hardware and advanced technologies. The company places great emphasis on network data security, providing customers with advantages in performance and data transmission speed. This leads to cost savings and more efficient processes. Additionally, it helps strengthen relationships with customers, target groups, business partners, resellers, and employees.Without a doubt, CISCO is the number one choice, as it offers a comprehensive network system covering complete solutions.

Incident

         Cisco has issued warnings about three recently patched Critical vulnerabilities in Cisco Identity Services Engine (ISE), which are currently being actively exploited in ongoing attacks.

Although Cisco has not provided specific details on how these vulnerabilities are being exploited or whether the attacks have been successful, applying the security updates as soon as possible is highly recommended.

Cisco Identity Services Engine (ISE) is a platform that enables large organizations to control network access and enforce security policies.

The most severe vulnerabilities were first disclosed on June 25, 2025 (CVE-2025-20281 and CVE-2025-20282) and July 16, 2025 (CVE-2025-20337).

CVE-2025-20281 (CVSS score: 10/10, Critical severity) is an unauthenticated remote code execution vulnerability in Cisco ISE and ISE Passive Identity Connector (ISE-PIC).It allows attackers to send specially crafted API requests to execute arbitrary commands with root privileges on the operating system, without requiring authentication.This vulnerability has been fixed in ISE 3.3 Patch 7 and ISE 3.4 Patch 2.

CVE-2025-20282 (CVSS score: 10/10, Critical severity) is an unauthenticated arbitrary file upload and execution vulnerability in Cisco ISE and ISE-PIC Release 3.4.Due to insufficient file validation, attackers can upload malicious files to a privileged directory and execute them with root privileges.This vulnerability has been patched in ISE 3.4 Patch 2.

CVE-2025-20337 (CVSS score: 10/10, Critical severity) is an unauthenticated remote code execution vulnerability in Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC).Exploitation is possible through crafted API requests due to insufficient input validation, allowing attackers to gain root access without authentication or credentials.This vulnerability has been fixed in ISE 3.3 Patch 7 and ISE 3.4 Patch 2.

All three vulnerabilities in Cisco Identity Services Engine (ISE) are rated with the highest severity level (CVSS score: 10.0). They can be exploited remotely and without authentication, making them high-value targets for attackers aiming to compromise enterprise networks.

Impacted versions

   ISE 3.3 And ISE 3.4

Recommendations

    ISE 3.3 should be updated to Patch 7

    ISE 3.4 should be updated to Patch 2

The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
0613879439 (Ms.Sirilak)
0922576902 (Ms.Narusorn)

Referent

Weekly Interesting CVE

NO.

CVE Name

Published Date

Last Update

Device/Appplication/OS Target

Attack Type

CVSS
Severity Rating

Detail

Solution

Reference
1

CVE-2025-49699

08/07/2025

15/07/2025

Microsoft Office

Use-After-Free

7

Use after free in Microsoft Office allows an unauthorized attacker to execute code locally and affecting various Microsoft Office products including Microsoft 365 Apps, Office 2019, Office LTSC 2021, Office LTSC 2024, Office 2016

Update to the latest patch

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49699
2

CVE-2025-20337

25/06/2025

24/07/2025

Cisco Identity Services Engine (ISE)

Remote Code Execution

10.0

Multiple vulnerabilities in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit these vulnerabilities.

Cisco ISE 3.3 Update to Patch 7
Cisco ISE 3.4 Update to Patch 2
Cisco ISE 3.2 or older no further action is necessary.

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6
3

CVE-2025-47111

10/06/2025

25/07/2025

Red Hat Enterprise 8,9,10

Adobe Acrobat and Reader

5.5

A NULL Pointer Dereference vulnerability in Adobe Acrobat Reader that affects versions 24.001.30235, 20.005.30763, 25.001.20521 and earlier. An attacker could exploit this vulnerability by tricking a user into opening a maliciously crafted file, which would trigger an application crash. This could disrupt user productivity and potentially prevent access to critical PDF documents.

Update to version
25.001.20531 (Win)
25.001.20529 (Mac)

https://nvd.nist.gov/vuln/detail/CVE-2025-47111

 
 4

CVE-2024-47107

19/06/2025

25/07/2025

IBM QRadar SIEM

XML external Entity Injection (XXE)

7.1

IBM QRadar SIEM 7.5 - 7.5.0 UP12 IF01 s vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

Upgrade to version 7.5.0 UP12 IF02

https://www.ibm.com/support/pages/security-bulletin-ibm-qradar-siem-contains-multiple-vulnerabilities-38
5

CVE-2025-27930

23/07/2025

25/07/2025

Zohocorp ManageEngine Applications Manager

Cross-Site Scripting (XSS)

6.4

Zohocorp ManageEngine Applications Manager versions 176600 and prior are vulnerable to stored cross-site scripting in the File/Directory monitor.

Update to version 176700

http://nvd.nist.gov/vuln/detail/CVE-2025-27930

Malware News or Campaign IOC/IOA | EN

No

Campaign Name

Detection Date

Attack

Type

  

Description

  

Mitigation/Remediation
1

Scattered Spider is running a VMware ESXi hacking spree​

27/07/2025​

Ransomware, Information-Stealer​

The financially motivated hacking group Scattered Spider has been aggressively compromising VMware ESXi hypervisors in retail, airline, transportation, and insurance sectors in the U.S.Instead of exploiting software vulnerabilities, they use highly convincing social engineering—such as impersonating employees in IT help desk calls—to gain initial access by resetting AD passwords.Once inside, the attackers search for IT documentation, admin accounts, and privileged access management (PAM) systems to take over the VMware vCenter Server Appliance (vCSA). They enable SSH access, reset root passwords, and perform a “disk-swap attack” to extract the NTDS.dit file from the Active Directory, effectively stealing sensitive authentication data.Having total control of the virtual environment, they delete backups and finally deploy ransomware to encrypt VM files.​
  • Locking down vSphere (e.g., disable SSH, encrypt VMs)​
  • Implement Antivirus​
  • Awareness training to be more aware of Email usage and Phishing mail.​
  • Centralizing logs in SIEMs and using immutable, air-gapped backups​
  • Enforcing phishing-resistant MFA​

Ref:https://www.bleepingcomputer.com/news/security/scattered-spider-is-running-a-vmware-esxi-hacking-spree/

13 August 2025

Viewed 198 time

Engine by shopup.com