CVE-2025-20281
Expert Analysis
Professional remediation guidance
Get tailored security recommendations from our analyst team for CVE-2025-20281. We'll provide specific mitigation strategies based on your environment and risk profile.
CVSS Score
V3.1Attack Vector Metrics
Impact Metrics
Description
A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this vulnerability.
This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device.
Available Exploits
Related News
Security researcher Bobby Gould has published a blog post demonstrating a complete exploit chain for CVE-2025-20281, an unauthenticated remote code execution vulnerability in Cisco Identity Services Engine (ISE). [...]
CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2025-20281 Cisco Identity Services Engine Injection Vulnerability CVE-2025-20337 Cisco Identity Serv…
Cisco warns of active exploits targeting Identity Services Engine (ISE) and ISE-PIC flaws, first observed in July 2025. Cisco confirmed attempted exploitation in the wild of recently disclosed ISE and ISE-PIC flaws (CVE-2025-20281, CVE-2025-20282, CVE-2025-20…
Cisco released patches to address two critical vulnerabilities in ISE and ISE-PIC that could let remote attackers execute to code as root. Cisco addressed two critical vulnerabilities, tracked as CVE-2025-20281 and CVE-2025-20282, in Identity Services Engine …
Affected Products
Known Exploited Vulnerability
This vulnerability is actively being exploited in the wild
Remediation Status
Due Date
Added to KEV
Required Action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Affected Product
Ransomware Risk
EU Vulnerability Database
Monitored by ENISA for EU cybersecurity
ENISA Analysis
A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this vulnerability.
This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device.
Affected Products (ENISA)
ENISA Scoring
CVSS Score (3.1)
EPSS Score
ENISA References
Data provided by ENISA EU Vulnerability Database. Last updated: July 30, 2025
GitHub Security Advisories
Community-driven vulnerability intelligence from GitHub
Advisory Details
CVSS Scoring
CVSS Score
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References
Advisory provided by GitHub Security Advisory Database. Published: June 26, 2025, Modified: July 30, 2025
Social Media Intelligence
Real-time discussions and threat intelligence from social platforms
Gayfemboy Botnet resurfaces with advanced evasion & global router attacks Citizen researchers + Fortinet have observed the return of the **Mirai-based Gayfemboy botnet**, targeting IoT routers and enterprise devices worldwide. 🌍 **Infected regions**: U.S., Brazil, Mexico, Israel, Germany, Switzerland, Vietnam. 🔑 **Highlights**: * Exploits flaws in DrayTek Vigor, TP-Link Archer …
August Patch Tuesday updates 𝗧𝗼𝗱𝗮𝘆'𝘀 𝗣𝗮𝘁𝗰𝗵 𝗧𝘂𝗲𝘀𝗱𝗮𝘆 𝗼𝘃𝗲𝗿𝘃𝗶𝗲𝘄: ▪️ Microsoft has addressed 107 vulnerabilities, one zero-day with PoC (CVE-2025-53779), 13 critical ▪️ Third-party: actively exploited vulnerabilities in Google Chrome, Android, Apple, Cisco ISE, and Wing FTP Server, plus major third-party issues affecting Axis Communications, Dell ControlVault3, Nvidia, WordPress, and Sophos …
Security Watch 8/1/25 On K12TechPro, we've launched a weekly cyber threat intelligence and vulnerability newsletter with NTP and K12TechPro. We'll post the "public" news to k12sysadmin from each newsletter. For the full "k12 techs only" portion (no middle schoolers, bad guys, vendors, etc. allowed), log into [k12techpro.com](http://k12techpro.com) and visit the …
🔥 Top 10 Trending CVEs (30/07/2025) Here’s a quick breakdown of the 10 most interesting vulnerabilities trending today: **1. [CVE-2023-2533](https://nvd.nist.gov/vuln/detail/CVE-2023-2533)** - 📝 A Cross-Site Request Forgery (CSRF) vulnerability has been identified in PaperCut NG/MF, which, under specific conditions, could potentially enable an attacker to alter security settings or execute arbitrary …
🔥 Top 10 Trending CVEs (29/07/2025) Here’s a quick breakdown of the 10 most interesting vulnerabilities trending today: **1. [CVE-2025-31199](https://nvd.nist.gov/vuln/detail/CVE-2025-31199)** - 📝 A logging issue was addressed with improved data redaction. This issue is fixed in iOS 18.4 and iPadOS 18.4, visionOS 2.4, macOS Sequoia 15.4. An app may be …
🔥 Top 10 Trending CVEs (28/07/2025) Here’s a quick breakdown of the 10 most interesting vulnerabilities trending today: **1. [CVE-2025-22230](https://nvd.nist.gov/vuln/detail/CVE-2025-22230)** - 📝 VMware Tools for Windows contains an authentication bypass vulnerability due to improper access control.A malicious actor with non-administrative privileges on a guest VM may gain ability to perform …
🔥 Top 10 Trending CVEs (27/07/2025) Here’s a quick breakdown of the 10 most interesting vulnerabilities trending today: **1. [CVE-2025-23266](https://nvd.nist.gov/vuln/detail/CVE-2025-23266)** - 📝 NVIDIA Container Toolkit for all platforms contains a vulnerability in some hooks used to initialize the container, where an attacker could execute arbitrary code with elevated permissions. A …
🔥 Top 10 Trending CVEs (26/07/2025) Here’s a quick breakdown of the 10 most interesting vulnerabilities trending today: **1. [CVE-2025-2775](https://nvd.nist.gov/vuln/detail/CVE-2025-2775)** - 📝 SysAid On-Prem versions <= 23.3.40 are vulnerable to an unauthenticated XML External Entity (XXE) vulnerability in the Checkin processing functionality, allowing for administrator account takeover and file read …
Cisco Confirms Active Exploits Targeting ISE Flaws Enabling Unauthenticated Root Access Cisco has confirmed active exploitation of **three unauthenticated remote code execution (RCE)** vulnerabilities in **Identity Services Engine (ISE)** and **ISE-Passive Identity Connector (ISE-PIC)**: * **CVE-2025-20281** (API command injection) * **CVE-2025-20282** (malicious file upload) * **CVE-2025-20337** (API command injection) All …
Security Updates Sharepoint, Netscaler en Cisco ISE **Ernstig beveiligingslek in Microsoft SharePoint wordt misbruikt** Het Nationaal Cyber Security Centrum (NCSC), Microsoft en het Amerikaanse cyberagentschap CISA slaan alarm: er wordt actief misbruik gemaakt van een kritieke kwetsbaarheid in Microsoft SharePoint. Dit lek, aangeduid als CVE-2025-53770, stelt aanvallers in staat om …