A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this vulnerability. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device.
The vulnerability stems from insufficient validation of user-supplied data to a specific API endpoint (CWE-74 — injection). The attacker sends a specially crafted request to the exposed API without requiring authentication. The improperly processed payload allows injection and execution of arbitrary code directly in the context of the device's operating system.
Successful exploitation of the vulnerability grants the attacker full root privileges on the targeted device, meaning complete system takeover, the ability to read and modify all data (including identity configurations and access policies), and potential lateral movement in the organization's network infrastructure.
Patches from the manufacturer must be applied immediately in accordance with the official Cisco Security Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6. Until the patch is implemented, it is recommended to restrict access to the Cisco ISE API only to trusted hosts at the firewall/ACL level and to continuously monitor logs for unexpected API requests.
Cisco Identity Services Engine (ISE) and Cisco Identity Services Engine Passive Identity Connector (ISE-PIC) — specific versions indicated in manufacturer references (Cisco Security Advisory cisco-sa-ise-unauth-rce-ZAd2GnJ6)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HCisco Identity Services Engine
APPCisco3.3.03.4.0Cisco Identity Services Engine Passive Identity Connector
APPCisco3.3.03.4.0
CISA KEV — detailsi
- Vendori
- Cisco ↗
- Producti
- Identity Services Engine
- Added to KEVi
- July 28, 2025
- Remediation deadline (US Federal)i
- August 18, 2025(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Cisco Identity Services Engine contains an injection vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC due to insufficient validation of user-supplied input allowing an attacker to exploit this vulnerability by submitting a crafted API request. Successful exploitation could allow an attacker to perform remote code execution and obtaining root privileges on an affected device.
Related vulnerabilities
Nieuwierzytelniony RCE jako root w Cisco ISE i ISE-PIC poprzez API
A vulnerability in Cisco ISE and ISE-PIC could allow an authenticated, remote attacker to execute arbitrary co...
RCE w Cisco ISE — eskalacja uprawnień do root przez HTTP
Nieautoryzowany RCE jako root w Cisco ISE i ISE-PIC
Cisco ISE w chmurze: współdzielone statyczne poświadczenia umożliwiają nieautoryzowany dostęp