Cisco has disclosed a critical security vulnerability, tracked as CVE-2025-20337, affecting its Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC). This flaw could enable attackers to execute arbitrary code on the underlying operating system with elevated root privileges without needing any valid credentials. The vulnerability carries a maximum CVSS score of 10.0, highlighting its severe risk.
“Multiple vulnerabilities in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit these vulnerabilities,” Cisco stated in an updated security advisory. The root cause stems from “insufficient validation of user-supplied input,” allowing attackers to exploit the flaw by sending specially crafted API requests. A successful attack could grant the intruder full control over affected devices.
This issue impacts ISE and ISE-PIC software versions 3.3 and 3.4, regardless of device configuration, but earlier releases like 3.2 and below remain unaffected. Cisco has addressed the vulnerability in 3.3 Patch 7 and 3.4 Patch 2 releases, urging users to update promptly. Notably, this vulnerability is similar to CVE-2025-20281, which Cisco patched just last month.
The discovery of the vulnerability is credited to Kentaro Kawane of GMO Cybersecurity, who has previously reported other critical Cisco ISE flaws (CVE-2025-20286 and CVE-2025-20282), as well as a serious security issue in Fortinet FortiWeb (CVE-2025-25257).
While there is currently no evidence that CVE-2025-20337 has been exploited maliciously, experts recommend keeping systems updated to mitigate potential threats.
This announcement coincides with recent reports from The Shadowserver Foundation indicating that cybercriminals have been actively exploiting publicly released vulnerabilities tied to CVE-2025-25257 to deploy web shells on vulnerable Fortinet FortiWeb appliances since July 11, 2025. As of July 15, approximately 77 devices are estimated to be compromised globally, primarily in North America, Asia, and Europe.
According to data from the attack surface management platform Censys, around 20,098 Fortinet FortiWeb devices are currently online, though it remains unclear how many are vulnerable to this particular flaw. Censys noted, “This flaw enables unauthenticated attackers to execute arbitrary SQL commands via crafted HTTP requests, leading to remote code execution (RCE).”
Organizations are advised to stay vigilant and implement patches swiftly to protect their infrastructure from emerging cyber threats.
 and Cisco.....){kind=link}