The government has issued a formal advisory regarding a Cisco ISE cloud vulnerability that could let attackers gain full administrative control of cloud-based deployments. The flaw impacts Cisco Identity Services Engine (ISE) instances hosted on major platforms like AWS, Azure, and Oracle Cloud Infrastructure.
The vulnerability, listed as CVE-2025-20286 with a critical CVSS score of 9.9, affects Cisco ISE versions 3.1 through 3.4 deployed via official marketplace images. This Cisco ISE cloud vulnerability stems from credential reuse and improper session validation, exposing systems to unauthorized access and potential data breaches.
Only cloud-based deployments from Cisco’s official marketplace listings are affected; on-premise installations or manually configured cloud nodes remain unaffected.
A publicly available proof-of-concept (PoC) exploit significantly increases the threat, allowing remote attackers to access the ISE admin interface and perform privileged actions without any authentication or user interaction.
If exploited, attackers could disable network access policies, modify system configurations, extract sensitive logs, and move laterally across cloud environments using shared or leaked credentials. The low complexity of the attack and its remote execution capability make it particularly dangerous.
Cisco has released updated and secure ISE cloud images as of June 2025. The advisory strongly recommends that organizations redeploy affected instances using the new builds. In cases where immediate redeployment isn’t feasible, emergency mitigation steps include:
Administrators are also urged to review system logs for unusual activity, integrate monitoring with SIEM tools, and conduct forensic assessments if a compromise is suspected.
With the Cisco ISE cloud vulnerability posing a high risk of system compromise and data exposure, swift action is necessary to secure cloud environments and prevent exploitation.