CVE-2025-20283

Media report

EPSS 0.09%
Published 16.07.2025 16:16:37
Last modified 22.07.2025 14:19:31
Source psirt@cisco.com
Teams watchlist Login
Open Login

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to execute arbitrary code on the underlying operating system as root.

This vulnerability is due to insufficient validation of user-supplied input. An attacker with valid credentials could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to execute commands as the root user. To exploit this vulnerability, the attacker must have valid high-privileged credentials.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Data is provided by the National Vulnerability Database (NVD)

Cisco ≫ Identity Services Engine Version < 3.3.0

Cisco ≫ Identity Services Engine Version3.3.0 Update-

Cisco ≫ Identity Services Engine Version3.3.0 Updatepatch1

Cisco ≫ Identity Services Engine Version3.3.0 Updatepatch2

Cisco ≫ Identity Services Engine Version3.3.0 Updatepatch3

Cisco ≫ Identity Services Engine Version3.3.0 Updatepatch4

Cisco ≫ Identity Services Engine Version3.3.0 Updatepatch5

Cisco ≫ Identity Services Engine Version3.3.0 Updatepatch6

Cisco ≫ Identity Services Engine Version3.4.0 Update-

Cisco ≫ Identity Services Engine Version3.4.0 Updatepatch1

Cisco ≫ Identity Services Engine Passive Identity Connector Version < 3.3.0

Cisco ≫ Identity Services Engine Passive Identity Connector Version3.3.0 Update-

Cisco ≫ Identity Services Engine Passive Identity Connector Version3.3.0 Updatepatch1

Cisco ≫ Identity Services Engine Passive Identity Connector Version3.3.0 Updatepatch2

Cisco ≫ Identity Services Engine Passive Identity Connector Version3.3.0 Updatepatch3

Cisco ≫ Identity Services Engine Passive Identity Connector Version3.3.0 Updatepatch4

Cisco ≫ Identity Services Engine Passive Identity Connector Version3.3.0 Updatepatch5

Cisco ≫ Identity Services Engine Passive Identity Connector Version3.3.0 Updatepatch6

Cisco ≫ Identity Services Engine Passive Identity Connector Version3.4.0 Update-

Cisco ≫ Identity Services Engine Passive Identity Connector Version3.4.0 Updatepatch1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.09%	0.261

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.2	1.2	5.9	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
psirt@cisco.com	6.5	1.2	5.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

https://www.heise.de/news/Weitere-kritische-Luecke-in-Ciscos-ISE-10490589.html

Medienbericht

heise Security

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-multi-3VpsXOxO

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-20283

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-20283

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-20283

EUVD