Hackers are actively targeting recently disclosed and patched critical vulnerabilities in Cisco's Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC), less than a month after security updates were issued.
In June, Cisco disclosed two critical vulnerabilities in ISE and ISE-PIC, tracked as CVE-2025-20281 and CVE-2025-20282, which could allow remote, unauthenticated attackers to execute arbitrary code with root-level privileges on affected systems.
Last week, Cisco updated its security advisory to include a third critical flaw, CVE-2025-20337. The issue affects a specific API and, like CVE-2025-20281, arises from insufficient validation of user-supplied input, potentially enabling attackers to execute arbitrary code. CVE-2025-20282 affects another API due to inadequate validation of uploaded files, allowing malicious files to be placed in privileged system directories.
“In July 2025, the Cisco PSIRT became aware of attempted exploitation of some of these vulnerabilities in the wild. Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate these vulnerabilities,” the company said in an updated advisory.
The impacted products include Cisco ISE and ISE-PIC versions 3.3 and 3.4. The issues have been patched in ISE 3.3 Patch 7 and ISE 3.4 Patch 2. Cisco notes that customers running ISE 3.3 Patch 6, even with previous hot patches, must update to the latest patch to receive protection against CVE-2025-20337. Older versions, including ISE 3.2 and below, are not impacted.