Executive Summary

As of February 5, 2025, a critical security advisory has been released by Cisco, detailing significant vulnerabilities within the Cisco Identity Services Engine (ISE) under the reference cisco-sa-ise-multivuls-FTW9AOXF. These vulnerabilities, identified as CVE-2025-20124 and CVE-2025-20125, pose severe risks, including the potential for remote attackers to execute arbitrary commands, elevate privileges, and modify system configurations. No known exploitations have been publicly reported to date. This report aims to provide our customers with an in-depth understanding of these vulnerabilities and the necessary steps for mitigation.

Technical Information

The vulnerabilities in question involve two separate yet critical issues within the Cisco ISE platform. The first, CVE-2025-20124, stems from insecure Java deserialization. This flaw allows an authenticated remote attacker, with valid read-only administrative credentials, to exploit the system by submitting a crafted serialized Java object. This action can lead to arbitrary command execution and privilege escalation, posing a substantial threat to system integrity and security. The CVSS Base Score for this vulnerability is 9.9, underlining its critical nature.

The second vulnerability, CVE-2025-20125, results from inadequate authorization checks and improper validation of user-supplied data. This flaw can be exploited by an attacker, again with valid read-only credentials, through a crafted HTTP request. Such an attack may result in unauthorized access to sensitive information, alteration of configurations, and even the rebooting of affected nodes. The CVSS Base Score for this vulnerability is 9.1, reflecting its critical impact on affected systems.

Both vulnerabilities have been assigned specific Cisco Bug IDs: CSCwk14916 for CVE-2025-20124 and CSCwk14901 for CVE-2025-20125. These IDs can be used for further technical reference and tracking within Cisco's platforms.

Exploitation in the Wild

Currently, there have been no reports or evidence suggesting that these vulnerabilities have been exploited in the wild. Cisco’s Product Security Incident Response Team (PSIRT) is actively monitoring for any signs of malicious activity related to these vulnerabilities and will provide updates as necessary.

APT Groups using this vulnerability

As of now, there have been no specific APT groups identified that are exploiting these vulnerabilities. However, organizations are advised to remain vigilant and monitor their network traffic for any anomalies that could indicate attempted exploitation.

Affected Product Versions

The vulnerabilities affect the following versions of Cisco ISE software: versions 3.0, 3.1 (prior to 3.1P10), 3.2 (prior to 3.2P7), and 3.3 (prior to 3.3P4). Version 3.4 has been confirmed as not vulnerable. It is crucial for organizations using these versions to update their systems to the fixed releases provided by Cisco to ensure protection against potential exploitation.

Workaround and Mitigation

Cisco has issued software updates to address these vulnerabilities. There are no viable workarounds, emphasizing the importance of promptly upgrading to the fixed software releases. The recommended fixed releases are: Cisco ISE Software Release 3.0 should migrate to a fixed release, Cisco ISE Software Release 3.1 is fixed in 3.1P10, Cisco ISE Software Release 3.2 is fixed in 3.2P7, and Cisco ISE Software Release 3.3 is fixed in 3.3P4. Ensuring your systems are updated is the most effective defense against these vulnerabilities.

References

For further technical details and updates, please refer to the following resources: Cisco Security Advisory at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-multivuls-FTW9AOXF, CVE-2025-20124 Details at https://nvd.nist.gov/vuln/detail/CVE-2025-20124, and CVE-2025-20125 Details at https://nvd.nist.gov/vuln/detail/CVE-2025-20125.

Rescana is here for you

At Rescana, we prioritize the security of your operations. Our Third Party Risk Management (TPRM) platform is designed to assist you in identifying and mitigating risks associated with third-party vendors, ensuring a robust security posture. Should you have any questions regarding this report or require further assistance, please do not hesitate to contact us at ops@rescana.com. We are here to support you in safeguarding your systems against emerging threats.