Cisco Rushes to Fix Two “Perfect-Score” Flaws in Identity Services Engine
What Makes ISE So Important
Cisco Identity Services Engine, better known as ISE, sits at the heart of many company networks. It decides who or what can log in, which devices may join the Wi-Fi, and whether a user can reach a sensitive server. If ISE goes down or is taken over, an attacker can open the gates for anything else that follows.
Two Bugs, Both Rated 10 out of 10
Last week Cisco revealed a pair of weaknesses—CVE-2025-20281 and CVE-2025-20282—that each earned a perfect 10.0 score on the CVSS danger scale. In plain terms, they let a stranger on the internet run any command they want as the root user, without needing a password. One flaw lives in versions 3.3 and later; the other is limited to the 3.4 line but is just as serious.
How Attackers Could Break In
The first bug stems from sloppy input checks. By sending a carefully shaped request to one of ISE’s public APIs, a hacker can trick the service into handing over root-level powers. The second bug hides in the file-upload feature and lets an outsider plant a malicious program in a protected folder, then launch it with full control. Either path ends with the attacker owning the box.
No Quick Tweaks, Only Full Patches
Cisco’s advisory is blunt: there are no workarounds. Owners must install a fixed build. For anyone on version 3.3, that means Patch 6; for 3.4, Patch 2 does the job. The downloads are tagged with “CSCwo99449,” and Cisco urges customers to patch right away before proof-of-concept code shows up online.
Why Speed Matters
Although Cisco says it has not spotted real-world attacks so far, experience shows that criminals move fast once details leak. Security researchers, hobby hackers, and crooks alike scan the internet for exposed systems within hours of a public advisory. Because ISE controls access across the network, a single breach could let an attacker disable policies, add rogue devices, or pivot deeper into corporate systems.
Researchers Who Blew the Whistle
Credit for finding the first flaw goes to Bobby Gould of Trend Micro’s Zero Day Initiative. The second came from Kentaro Kawane of GMO Cybersecurity, who also uncovered another high-risk ISE bug earlier this year. Their work underlines a growing trend: identity and access gear is now prime hunting ground, both for defenders and attackers.
What Network Teams Should Do Now
Admins should download the patch, book a short maintenance window, and upgrade every ISE and ISE-PIC instance in production. After the reboot, confirm the version number and check logs for any odd behavior that might hint at earlier probing. It also pays to tighten firewall rules so only trusted hosts can reach the management interface, cutting down the attack surface before the next surprise flaw appears.
Lessons for the Wider Security World
The episode is a reminder that identity tools are just as critical—and just as vulnerable—as web servers and database clusters. When one of these platforms breaks, every other safeguard that relies on it can crumble. Staying safe means treating patches for access-control systems with the same urgency as those for headline-grabbing bugs like Log4Shell or Heartbleed.
A Call to Stay Alert
Cisco has played its part by shipping fixes quickly, but the baton now passes to customers. Until the last unpatched ISE appliance is updated, the door remains open. Keep an eye on threat-intel feeds, verify backups, and rehearse incident-response steps. Root-level flaws with a perfect CVSS score are rare, yet they demand perfect speed from defenders—because attackers will not wait.