Analysis Summary

A critical vulnerability, tracked as CVE-2025-20286 with a CVSS score of high, has been discovered in Cisco Identity Services Engine (ISE) when deployed on major cloud platforms including AWS, Microsoft Azure, and Oracle Cloud Infrastructure (OCI). This flaw allows unauthenticated remote attackers to access sensitive data and perform administrative operations due to the use of improperly generated static credentials during cloud-based deployments.

According to Cisco, the vulnerability stems from a security design flaw where all instances of a specific ISE version on the same cloud provider share identical credentials, making it easy for attackers to breach other deployments once one set of credentials is obtained.

This vulnerability is specific to cloud deployments where the Primary Administration node resides in the cloud. Notably, on-premises deployments using ISO or OVA installations are not impacted. Also excluded are hybrid environments where administrative personas are kept on-prem, and specialized configurations such as Azure VMware Solution (AVS) and Google Cloud VMware Engine. The affected versions include ISE 3.1 to 3.4, with AWS deployments vulnerable across all these versions, while Azure and OCI deployments are vulnerable in versions 3.2 through 3.4.

The threat becomes especially serious as proof-of-concept (PoC) exploit code is publicly available, increasing the risk of widespread exploitation. Although Cisco PSIRT confirms the PoC's existence, they state there's no known active exploitation yet. Exploitation requires the attacker to have network access to the cloud management interface and knowledge of the static credentials for the specific ISE version and platform, making it a serious threat in environments with exposed cloud interfaces.

Cisco has issued a comprehensive hot fix named “ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz” for all affected versions and plans to roll out permanent patches in future releases: 3.3P8 in November 2025, 3.4P3 in October 2025, and ISE 3.5 in August 2025. As immediate mitigation, organizations are advised to restrict access using Cloud Security Groups and ISE’s IP allowlisting. For new deployments, Cisco recommends running the “application reset-config ise” command to generate fresh credentials, though this resets the system to factory defaults, requiring careful planning.

Impact

• Sensitive Data Theft
• Unauthorized Access

Indicators of Compromise

CVE

• CVE-2025-20286

Affected Vendors

Remediation

• Refer to the Cisco Security Advisory for patch, upgrade, or suggested workaround information.
• Install the comprehensive hot fix ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz provided by Cisco for affected ISE versions 3.1 through 3.4.
• Prepare for Cisco's scheduled permanent fixes in: ISE 3.5 release (August 2025), ISE 3.4 Patch 3 (October 2025), and ISE 3.3 Patch 8 (November 2025)
• Use Cloud Security Groups to limit access to the ISE cloud management interface by whitelisting only trusted IP addresses.
• Implement ISE’s built-in IP allowlisting features to control administrative access and reduce exposure.
• For new cloud deployments, run the command application reset-config ise on the Primary Administration node to generate unique credentials.
• Ensure that Primary Administration nodes are not deployed in the cloud if avoidable; consider hybrid or on-premises deployments for better control.
• Review and audit all existing ISE deployments on AWS, Azure, and OCI to identify if they share static credentials and assess exposure.