Overview

Cisco Identity Services Engine is affected by critically severe vulnerabilities. These vulnerabilities could allow a remote attacker to execute arbitrary commands on an affected device.

Description

Cisco Identity Services Engine is affected by a critical vulnerability tracked as CVE-2025-20124, and CVE-2025-20125 with CVSS score of 9.9 and 9.1 respectively. The vulnerability is due to insecure deserialization of user-supplied Java byte streams by the affected software, and lack of authorization in a specific API and improper validation of user-supplied data. Upon successful exploitation, the vulnerabilities could allow an authenticated, remote attacker to execute arbitrary commands and elevate privileges on an affected device.

Impact

Successful exploitation of these vulnerabilities may allow the attacker to take control of the affected system.

Solution

Cisco has released patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References

• 1. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-multivuls-FTW9AOXF