9.9

CVE-2025-20124

EPSS 0.66%
Veröffentlicht 05.02.2025 17:15:22
Zuletzt bearbeitet 28.03.2025 13:22:42
Quelle psirt@cisco.com
Teams Watchlist Login
Unerledigt Login

A vulnerability in an API of Cisco ISE could allow an authenticated, remote attacker to execute arbitrary commands as the root user on an affected device.

This vulnerability is due to insecure deserialization of user-supplied Java byte streams by the affected software. An attacker could exploit this vulnerability by sending a crafted serialized Java object to an affected API. A successful exploit could allow the attacker to execute arbitrary commands on the device and elevate privileges.
Note: To successfully exploit this vulnerability, the attacker must have valid read-only administrative credentials. In a single-node deployment, new devices will not be able to authenticate during the reload time.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cisco ≫ Identity Services Engine Version < 3.1

Cisco ≫ Identity Services Engine Version3.1.0 Update-

Cisco ≫ Identity Services Engine Version3.1.0 Updatepatch1

Cisco ≫ Identity Services Engine Version3.1.0 Updatepatch2

Cisco ≫ Identity Services Engine Version3.1.0 Updatepatch3

Cisco ≫ Identity Services Engine Version3.1.0 Updatepatch4

Cisco ≫ Identity Services Engine Version3.1.0 Updatepatch5

Cisco ≫ Identity Services Engine Version3.1.0 Updatepatch6

Cisco ≫ Identity Services Engine Version3.1.0 Updatepatch7

Cisco ≫ Identity Services Engine Version3.1.0 Updatepatch8

Cisco ≫ Identity Services Engine Version3.1.0 Updatepatch9

Cisco ≫ Identity Services Engine Version3.2.0 Update-

Cisco ≫ Identity Services Engine Version3.2.0 Updatepatch1

Cisco ≫ Identity Services Engine Version3.2.0 Updatepatch2

Cisco ≫ Identity Services Engine Version3.2.0 Updatepatch3

Cisco ≫ Identity Services Engine Version3.2.0 Updatepatch4

Cisco ≫ Identity Services Engine Version3.2.0 Updatepatch5

Cisco ≫ Identity Services Engine Version3.2.0 Updatepatch6

Cisco ≫ Identity Services Engine Version3.3.0 Update-

Cisco ≫ Identity Services Engine Version3.3.0 Updatepatch1

Cisco ≫ Identity Services Engine Version3.3.0 Updatepatch2

Cisco ≫ Identity Services Engine Version3.3.0 Updatepatch3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.66%	0.703

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
psirt@cisco.com	9.9	3.1	6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-multivuls-FTW9AOXF

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-20124

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-20124

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-20124

EUVD