CVE-2025-20264

Published: Jun 25, 2025Modified: Jul 8, 2025

6.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L

Exploitability: 3.1 / Impact: 2.7

Source: psirt@cisco.com (Secondary)

Description

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to bypass the authorization mechanisms for specific administrative functions. This vulnerability is due to insufficient authorization enforcement mechanisms for users created by SAML SSO integration with an external identity provider. An attacker could exploit this vulnerability by submitting a series of specific commands to an affected device. A successful exploit could allow the attacker to modify a limited number of system settings, including some that would result in a system restart. In single-node Cisco ISE deployments, devices that are not authenticated to the network will not be able to authenticate until the Cisco ISE system comes back online. 

Affected (35)

Products: Cisco: Identity Services Engine

Cisco

1 product

Identity Services Engine

Configuration A

35 vulnerable

Vulnerable Software	Affected Versions
Cisco Identity Services Engine	Version 3.0.0
Cisco Identity Services Engine	Version 3.0.0 patch1
Cisco Identity Services Engine	Version 3.0.0 patch2
Cisco Identity Services Engine	Version 3.0.0 patch3
Cisco Identity Services Engine	Version 3.0.0 patch4
Cisco Identity Services Engine	Version 3.0.0 patch5
Cisco Identity Services Engine	Version 3.0.0 patch6
Cisco Identity Services Engine	Version 3.0.0 patch7
Cisco Identity Services Engine	Version 3.0.0 patch8
Cisco Identity Services Engine	Version 3.1.0
Cisco Identity Services Engine	Version 3.1.0 patch10
Cisco Identity Services Engine	Version 3.1.0 patch1
Cisco Identity Services Engine	Version 3.1.0 patch2
Cisco Identity Services Engine	Version 3.1.0 patch3
Cisco Identity Services Engine	Version 3.1.0 patch4
Cisco Identity Services Engine	Version 3.1.0 patch5
Cisco Identity Services Engine	Version 3.1.0 patch6
Cisco Identity Services Engine	Version 3.1.0 patch7
Cisco Identity Services Engine	Version 3.1.0 patch8
Cisco Identity Services Engine	Version 3.1.0 patch9
Cisco Identity Services Engine	Version 3.2.0
Cisco Identity Services Engine	Version 3.2.0 patch1
Cisco Identity Services Engine	Version 3.2.0 patch2
Cisco Identity Services Engine	Version 3.2.0 patch3
Cisco Identity Services Engine	Version 3.2.0 patch4
Cisco Identity Services Engine	Version 3.2.0 patch5
Cisco Identity Services Engine	Version 3.2.0 patch6
Cisco Identity Services Engine	Version 3.2.0 patch7
Cisco Identity Services Engine	Version 3.3.0
Cisco Identity Services Engine	Version 3.3.0 patch1
Cisco Identity Services Engine	Version 3.3.0 patch2
Cisco Identity Services Engine	Version 3.3.0 patch3
Cisco Identity Services Engine	Version 3.3.0 patch4
Cisco Identity Services Engine	Version 3.4.0
Cisco Identity Services Engine	Version 3.4.0 patch1

Related CWEs

CWE-285

Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

References (1)

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-auth-bypass-mVfKVQAU

Source: psirt@cisco.com

Vendor Advisory

Timeline

No history available yet.