Published On: Feb 14, 2025 11:44
Advisory No: TZCERT-SA-25-0059
Source: Cisco
Software Affected: Cisco Identity Services Engine
Cisco Identity Services Engine is affected by critically severe vulnerabilities. These vulnerabilities could allow a remote attacker to execute arbitrary commands on an affected device.
Cisco Identity Services Engine is affected by a critical vulnerability tracked as CVE-2025-20124, and CVE-2025-20125 with CVSS score of 9.9 and 9.1 respectively. The vulnerability is due to insecure deserialization of user-supplied Java byte streams by the affected software, and lack of authorization in a specific API and improper validation of user-supplied data. Upon successful exploitation, the vulnerabilities could allow an authenticated, remote attacker to execute arbitrary commands and elevate privileges on an affected device.
Successful exploitation of these vulnerabilities may allow the attacker to take control of the affected system.
Cisco has released patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.
A digest of Tanzania Computer Emergency Response Team coverage of cyber-security news across the globe.