The Cisco Identity Services Engine (ISE) has a critical vulnerability, CVE-2025-20286, with a CVSS score of 9.9 out of 10. If successfully exploited, threat actors can gain privileged access without authentication and perform unauthorized operations on vulnerable systems. Read this Cybersecurity Threat Advisory to learn how to mitigate the risks associated with this vulnerability.
What is the threat?
CVE-2025-20286 stems from the use of static, hardcoded credentials in certain containerized components of Cisco ISE, specifically those deployed in AWS cloud environments. This flaw impacts ISE container images used in orchestration pipelines and automation scenarios, where developers embed administrative credentials into the image by default. Users cannot change or remove these credentials using standard configuration options. These static credentials provide shell-level or administrative-level access, enabling any attacker who is aware of the credentials to authenticate remotely and take full control of the affected system.
Why is this noteworthy?
This vulnerability can be damaging to organizations who are using the affected ISE. Since it does not require authentication or user interaction, if an attacker can reach the exposed ISE instance, either from within a compromised internal network or, more critically, over the internet, they can use the hardcoded credentials to gain shell or root access to the container. From there, they can execute arbitrary commands, alter configurations, extract sensitive data such as policy definitions, RADIUS logs, certificate information, and user credentials, or disable critical network enforcement mechanisms.
Cisco ISE manages network access control (NAC), 802.1X authentication, posture compliance, and identity policy enforcement. Gaining administrative control over it effectively allows the attacker to dictate how users and devices authenticate to the enterprise network. The attacker could modify authentication policies, allow unauthorized device access, impersonate trusted identities, or shut down policy enforcement entirely, potentially bringing down entire segments of the organization’s network or creating persistent access backdoors.
What is the exposure or risk?
Organizations running affected versions of Cisco ISE, especially those deployed via AWS container images are at high risk. If the container remains unpatched and is internet-accessible or reachable from less-secured internal networks, attackers could leverage the static credentials to gain administrative access without detection. This could lead to unauthorized changes to authentication policies, interception of user credentials, network-wide access disruptions, or use of ISE as a pivot point for lateral movement within the network. Because ISE is tightly integrated with identity services, a breach could undermine zero trust architectures and NAC frameworks, making it a valuable and dangerous target.
What are the recommendations?
Barracuda strongly recommends organizations take these additional steps to protect their environment:
- Upgrade to the fixed versions of ISE container images as outlined in Cisco’s advisory.
- Restrict access to the Cisco ISE instance by allowing only the source IP addresses of authorized Customer Administrators using cloud platform security groups, effectively blocking unauthorized or malicious traffic.
- Allow the source IPs of Customer Administrators at Cisco ISE.
- Ensure that Cisco ISE management interfaces are not publicly exposed and are accessible only from trusted networks or through VPNs.
- Review administrative access logs for any unusual login attempts, particularly from unfamiliar IP addresses or service accounts.
References
For more in-depth information about the recommendations, please visit the following links:
- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-aws-static-cred-FPMjUcm7
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.