Table of Contents
The National Computer Emergency Team has issued a high-priority advisory regarding a critical authentication bypass vulnerability affecting Cisco Identity Services Engine (ISE) when deployed via official Cisco images on cloud platforms such as Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI).
Tracked as CVE-2025-20286, the vulnerability is rated 9.9 (Critical) on the CVSS scale and presents an urgent threat. It allows unauthenticated remote attackers to gain full administrative access to affected ISE cloud instances.
MCB and Toyota Launch Limited-Time Car Financing Offer
The flaw stems from credential reuse, hard-coded credentials, and improper session validation in Cisco’s marketplace-provided images—leaving deployments vulnerable to complete compromise.
What Is Affected?
- Product: Cisco Identity Services Engine (ISE)
- Versions Impacted: ISE 3.1 through 3.4
- Deployment Scope: Cloud-only; specifically:
- AWS Marketplace Images
- Azure Marketplace Images
- Oracle Cloud Infrastructure (OCI) Marketplace Images
- Not Affected:
- On-premise installations
- Custom or manually configured cloud deployments where the Primary Administration Node was independently deployed
Vulnerability Details
The vulnerability can be exploited remotely and without any user interaction or credentials, significantly increasing its risk. The advisory outlines the following characteristics:
- Attack Complexity: Low
- Authentication: Not required
- Access Vector: Internet-exposed HTTPS management interface
- Exploit Availability: Public proof-of-concept (PoC) available
- Potential Impact:
- Full admin access
- Modification or disabling of access/security policies
- Exposure of sensitive identity/authentication logs
- Lateral movement within the cloud network
- Complete ISE system compromise
Mitigation and Remediation Steps
Immediate Action:
- Redeploy ISE using Cisco’s updated cloud images released in June 2025.
- Ensure the Primary Admin Node is manually initialized during setup.
- Disable public access to the ISE admin interface.
- Route ISE admin access through a secured VPN or private endpoint.
Additional Emergency Measures:
- Enforce Multi-Factor Authentication (MFA).
- Isolate ISE from external networks using virtual network controls.
- Rotate credentials and access keys linked to affected instances.
- Audit IAM permissions across cloud accounts for potential misuse.
Detection and Response:
- Monitor ISE logs for suspicious activity or unauthorized access.
- Integrate ISE log output into SIEM platforms for real-time monitoring.
- Initiate forensic investigations where compromise is suspected.
Root Causes Identified
According to the advisory, the vulnerability arises from multiple critical security design oversights:
- Use of hard-coded credentials in pre-configured images
- Improper session/token validation
- Default insecure configurations in marketplace images
- Credential reuse across images and deployments
These oversights collectively allow an attacker to bypass standard authentication checks and perform privileged operations.
Strategic Recommendations for Organizations
Organizations currently using affected ISE cloud deployments should:
- Prioritize redeployment using Cisco’s latest secure images.
- Limit all internet-facing access to cloud-based ISE interfaces.
- Conduct full credential and key rotation for impacted services.
- Establish zero-trust policies around identity infrastructure.
- Perform a comprehensive security audit of existing configurations and logs.
Cisco’s Response
Cisco has acknowledged CVE-2025-20286 and confirmed the availability of patched images for AWS, Azure, and OCI as of June 2025. These images include corrected access controls, enhanced session validation, and eliminated use of hard-coded credentials.
Administrators are advised to refer to Cisco’s official documentation for guidance on securing cloud deployments and verifying image integrity.
