Critical Cisco ISE Vulnerability Exposes Cloud Deployments to Unauthorized Access
In June 2025, Cisco disclosed a critical vulnerability in its Identity Services Engine (ISE), designated as CVE-2025-20286. This flaw has significant implications for organizations utilizing cloud deployments across major platforms.
Technical Overview
The vulnerability arises from the generation of static credentials during the deployment of Cisco ISE on cloud platforms. Specifically, all instances of a particular Cisco ISE release on a given cloud platform share the same credentials. For instance, every Cisco ISE 3.1 deployment on AWS would have identical credentials.
Affected Versions
The following Cisco ISE versions are impacted:
- AWS: 3.1, 3.2, 3.3, and 3.4
- Azure: 3.2, 3.3, and 3.4
- OCI: 3.2, 3.3, and 3.4
It’s important to note that this vulnerability affects only cloud deployments where the Primary Administration node is deployed in the cloud. On-premises deployments remain unaffected.
Potential Exploitation
An attacker who obtains the static credentials could potentially:
- Access multiple Cisco ISE instances across different deployments.
- Extract sensitive information.
- Modify system configurations.
- Disrupt services and operations.
Cisco’s Response and Recommendations
Cisco has acknowledged the existence of a proof-of-concept exploit but has not observed any malicious exploitation in the wild. To mitigate the risks associated with this vulnerability, Cisco recommends:
- Applying Security Updates: Ensure all affected Cisco ISE instances are updated with the latest patches.
- Restricting Access: Limit access to the Cisco ISE management interface to authorized administrators.
- Resetting Configurations: Use the “application reset-config ise” command to reset user passwords, keeping in mind that this will restore the system to its factory settings.
Organizations are urged to act promptly to address this vulnerability and safeguard their cloud-based Cisco ISE deployments.