Cisco has revealed a new maximum-seriousness safety safety vulnerability affecting the identity service engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) that may allow an attacker to execute arbitrary code on the underwriting operating system with elevated privileges.
The CVE-2025-20337 was tracked, the deficiency has scored a CVSS of 10.0 and is the same as the CVE-2025-20281, which was patched by the networking equipment head later last month.
The company said in an updated advisor, “Many weaknesses in a specific API of Cisco ISE and Cisco ISE-AP can allow an informal, distance assailant to execute the arbitrary code on the underlying operating system as a route. The attacker does not require any legitimate credentials to exploit these weaknesses.”
“These weaknesses are due to insufficient verification of input supplied by the user. An attacker can take advantage of these weaknesses by presenting an API request. A successful exploitation may allow the attacker to obtain root privileges on an affected device.”
GMO Cybercity’s Kentaro Kavne has been credited with discovering and reporting defects. Kaven was first accepted for another important bug in the first two other important Cisco ISE defects (CVE-2025-20286 and CVE-2025-20282) and in Fortinet Fortiweb (CVE-2025-25257)
The CVE-2025-20337 device affects ISE and ISE-Pic release 3.3 and 3.4 regardless of the configuration. It does not affect ISE and ISE-Pic release 3.2 or before. This issue is patched in the following versions –
- Cisco ISE or ISE-Pic release 3.3 (fixed in 3.3 Patch 7)
- Cisco ISE or ISE-Pic release 3.4 (fixed in 3.4 Patch 2)
There is no evidence that vulnerability has been exploited in a malicious context. He said, it is always a good practice to ensure that the system is kept up-to-date to avoid potential hazards.
The disclosure comes when the Shadowverver Foundation reported that the danger actors are exploiting publicly issued exploits associated with CVE -2025-25257 to release web shells on susceptible fortnate fortVeb examples since July 11, 2025.
By July 15, 77 infected examples are estimated, below 85 a day earlier. Most of the agreements are concentrated around North America (44), Asia (14), and Europe (13).
Data from the surface management platform sensor of the attack suggests that except for honeypots, 20,098 fortinet Fortiweb equipment are online, although it is not currently known how many of these are weak for CVE-2025-25257.
“This defect enables informal attackers to execute arbitrary SQL command through HTTP requests prepared, which leads to distance code execution (RCE),” the Sensees said.
