Cisco Identity Services Engine (ISE) (Multiple Version Streams) - Improper Authorization Check (CVE-2025-20125)

Description

A vulnerability in an API of Cisco ISE could allow an authenticated, remote attacker with valid read-only credentials to obtain sensitive information, change node configurations, and restart the node.

This vulnerability is due to a lack of authorization in a specific API and improper validation of user-supplied data. An attacker could exploit this vulnerability by sending a crafted HTTP request to a specific API on the device.

A successful exploit could allow the attacker to attacker to obtain information, modify system configuration, and reload the device.

Note: To successfully exploit this vulnerability, the attacker must have valid read-only administrative credentials. In a single-node deployment, new devices will not be able to authenticate during the reload time.

Affected Product Versions:

Cisco Identity Services Engine (ISE) Software 3.0 (all versions)
Cisco Identity Services Engine (ISE) Software 3.1 prior to 3.1P10
Cisco Identity Services Engine (ISE) Software 3.2 prior to 3.2P7
Cisco Identity Services Engine (ISE) Software 3.3 prior to 3.3P4

Remediation

Update to the latest version.

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-multivuls-FTW9AOXF

Risk

Impact: High
Probability: Critical
CVSS v4 Score: —
CVSS v3 Score: 9.1 / 10
CVSS v2 Score: 8 / 10
EPSS: 0.1 %

Versions

Affected Versions

Fixed Versions

Information

Category: Broken Access Control
CWE
CVE
Known Exploitation Activity

OWASP

OWASP 2013: A7 - Missing Function Level Access Control
OWASP 2017: A5 - Broken Access Control
OWASP 2021: A1 - Broken Access Control