Source: Ministry of education information & communication security contingency platform
| Publication Number | TACERT-ANA-2025063008061212 | Publication Time | 2025/06/30 08:52 |
| Incident Type | ANA-Vulnerability Alert | Discovery Time | 2025/06/30 08:52 |
| Impact Level | Low | ||
| [Subject] [Vulnerability Alert] Two Critical Security Vulnerabilities Discovered in Cisco Identity Services |
|||
| [Content] Forwarded from TWCERTCC-200-202506-00000018 Cisco's Identity Services Engine (ISE) is an identity-based security policy management platform that gathers contextual information from networks and user devices, allowing organizations to enforce policies and make access control decisions across network infrastructures. Cisco has recently disclosed two critical security vulnerabilities (CVE-2025-20281, CVSS: 9.8 and CVE-2025-20282, CVSS: 10.0), along with corresponding updates. [CVE-2025-20281, CVSS: 9.8] This vulnerability affects specific APIs in Cisco ISE and ISE-PIC. It allows unauthenticated remote attackers to execute arbitrary code on the underlying operating system with root privileges, without requiring valid credentials. [CVE-2025-20282, CVSS: 10.0] This vulnerability affects internal APIs in Cisco ISE and ISE-PIC. It allows unauthenticated remote attackers to upload arbitrary files to the affected devices and execute them as root on the underlying operating system. Information Sharing Level: WHITE (Information content can be publicly disclosed) |
|||
| [Affected Platform] CVE-2025-20281: Cisco ISE and ISE-PIC versions 3.3, 3.4 CVE-2025-20282: Cisco ISE and ISE-PIC version 3.4 |
|||
| [Recommended Actions] Please apply the fixes according to Cisco’s official advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6 |
|||
| [Reference] https://www.twcert.org.tw/tw/cp-169-10220-062b3-1.html |
|||