CVE-2025-20284

Published: Jul 16, 2025Modified: Jul 22, 2025

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to execute arbitrary code on the underlying operating system as root. This vulnerability is due to insufficient validation of user-supplied input. An attacker with valid credentials could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to execute commands as the root user. To exploit this vulnerability, the attacker must have valid high-privileged credentials.

Affected (20)

Products: Cisco: Identity Services Engine, Identity Services Engine Passive Identity Connector

Cisco

2 products

Identity Services Engine

Identity Services Engine Passive Identity Connector

Configuration A

10 vulnerable

Vulnerable Software	Affected Versions
Cisco Identity Services Engine	Before 3.3.0
Cisco Identity Services Engine	Version 3.3.0
Cisco Identity Services Engine	Version 3.3.0 patch1
Cisco Identity Services Engine	Version 3.3.0 patch2
Cisco Identity Services Engine	Version 3.3.0 patch3
Cisco Identity Services Engine	Version 3.3.0 patch4
Cisco Identity Services Engine	Version 3.3.0 patch5
Cisco Identity Services Engine	Version 3.3.0 patch6
Cisco Identity Services Engine	Version 3.4.0
Cisco Identity Services Engine	Version 3.4.0 patch1

Configuration B

10 vulnerable

Vulnerable Software	Affected Versions
Cisco Identity Services Engine Passive Identity Connector	Before 3.3.0
Cisco Identity Services Engine Passive Identity Connector	Version 3.3.0
Cisco Identity Services Engine Passive Identity Connector	Version 3.3.0 patch1
Cisco Identity Services Engine Passive Identity Connector	Version 3.3.0 patch2
Cisco Identity Services Engine Passive Identity Connector	Version 3.3.0 patch3
Cisco Identity Services Engine Passive Identity Connector	Version 3.3.0 patch4
Cisco Identity Services Engine Passive Identity Connector	Version 3.3.0 patch5
Cisco Identity Services Engine Passive Identity Connector	Version 3.3.0 patch6
Cisco Identity Services Engine Passive Identity Connector	Version 3.4.0
Cisco Identity Services Engine Passive Identity Connector	Version 3.4.0 patch1

Related CWEs

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

References (1)

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-multi-3VpsXOxO

Source: psirt@cisco.com

Vendor Advisory

Timeline

No history available yet.