Advisory June 6, 2025

Cisco ISE Cloud Static Credentials with CVE-2025-20286

The Obrela Threat Intelligence Team

A vulnerability has been identified in cloud deployments of Cisco Identity Services Engine (ISE). The vulnerability could allow unauthenticated attackers to access sensitive data, execute limited administrative operations, and more. The vulnerability (CVE-2025-20286) has a Critical CVSSv3.1 score of 9.9 out of 10.

Description:

According to a Cisco security advisory, ISE cloud deployments on Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) featured an improper credential generation issue which resulted in different cloud deployments sharing the same hard-coded credentials. This could easily be exploited by threat actors to extract credentials from one ISE instance and reuse them in another, gaining access to sensitive data, administrative operation execution, system modification, and more.

This only regards installations where the Primary Administration node is deployed in the cloud, not on premises.

Affected Versions:

The following cloud deployments and ISE versions are affected and should be updated as soon as possible:

  • AWS: ISE Versions 3.1, 3.2, 3.3, and 3.4
  • Azure and OCI: ISE Versions 3.2, 3.3, and 3.4

The issue does not affect on-premises deployments of ISE, nor cloud deployments on AVS, Google Cloud, VMWare cloud, or ISE hybrid deployments with ISE all Administrator personas on-premises.

Recommendations:

  • Promptly update vulnerable deployments, or limit network access if not immediately possible.
  • Review access logs for vulnerable versions to rule out unauthorized access.
  • Ensure automatic updates are enabled for future instances whenever possible.

References: