Analysis Summary

Cisco has disclosed a maximum-severity vulnerability CVE-2025-20337 affecting Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC), allowing unauthenticated remote attackers to execute arbitrary code with root privileges. The flaw arises from insufficient validation of user-supplied input in a specific API, which can be exploited through crafted API requests.

This vulnerability impacts ISE and ISE-PIC releases 3.3 and 3.4, regardless of configuration, but does not affect versions 3.2 or earlier. Cisco has released patches fixing the issue in versions 3.3 Patch 7 and 3.4 Patch 2. Currently, there is no evidence of active exploitation. The flaw was reported by security firm, that has previously discovered other critical Cisco ISE vulnerabilities (CVE-2025-20286, CVE-2025-20282) and Fortinet FortiWeb (CVE-2025-25257).

Separately, another security researcher has reported that threat actors are exploiting CVE-2025-25257, a critical Fortinet FortiWeb vulnerability, since July 11, 2025, to deploy web shells on affected systems. As of July 15, there are an estimated 77 compromised FortiWeb instances, primarily in North America (44), Asia (14), and Europe (13). A data indicates over 20,098 FortiWeb appliances are online, though the number vulnerable remains unknown.

CVE-2025-25257 enables unauthenticated attackers to execute arbitrary SQL commands via crafted HTTP requests, leading to remote code execution (RCE). This underlines the urgent need for organizations to patch Cisco ISE and Fortinet FortiWeb devices promptly to prevent potential exploitation and maintain infrastructure security.

Impact

• Remote Code Execution
• Privilege Escalation
• Unauthorized Access

Remediation

• Disable unused APIs or services on Cisco ISE, ISE-PIC, and FortiWeb to reduce the attack surface and potential exploitation vectors.
• Implement strict access controls and role-based permissions on management interfaces to limit administrative exposure.
• Perform regular configuration reviews on Cisco and Fortinet devices to identify misconfigurations that could aid exploitation.
• Enable security advisories and auto-update notifications from Cisco and Fortinet to stay informed of critical patches and threats.
• Educate IT and security teams on these vulnerabilities and exploitation techniques to enhance detection and response readiness.
• Establish an incident response plan for potential exploitation of critical infrastructure vulnerabilities to ensure rapid containment and recovery.
• Test all patches in a staging environment before deployment to production systems to prevent operational disruptions.