Critical Insecure Java Deserialization and Authorization Bypass Vulnerabilities in Cisco Identity Services Engine (CVE-2025-20124, CVE-2025-20125)

Published On: Feb 14, 2025 11:44

Advisory No: TZCERT-SA-25-0059

Source: Cisco

Software Affected: Cisco Identity Services Engine

Overview

Cisco Identity Services Engine is affected by critically severe vulnerabilities. These vulnerabilities could allow a remote attacker to execute arbitrary commands on an affected device.

Description

Cisco Identity Services Engine is affected by a critical vulnerability tracked as CVE-2025-20124, and CVE-2025-20125 with CVSS score of 9.9 and 9.1 respectively. The vulnerability is due to insecure deserialization of user-supplied Java byte streams by the affected software, and lack of authorization in a specific API and improper validation of user-supplied data. Upon successful exploitation, the vulnerabilities could allow an authenticated, remote attacker to execute arbitrary commands and elevate privileges on an affected device.

Impact

Successful exploitation of these vulnerabilities may allow the attacker to take control of the affected system.

Solution

Cisco has released patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

Subscribe To TZ - CERT Newsletter

A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.

Subscribe
Report Incident