Advisory: Critical vulnerability disclosed in Cisco ISE on AWS, Microsoft Azure and OCI (CVE-2025-20286)
A critical vulnerability affects Cisco Identity Services Engine (ISE) when deployed on Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI). Proof-of-concept (PoC) exploit code is known to exist.
Written by:
On June 4, 2025, Cisco disclosed a critical vulnerability affecting the Cisco Identity Services Engine (ISE) when deployed on the cloud platforms Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI). The vulnerability, assigned CVE-2025-20286, has been assessed to a CVSSv3 score of 9.9 (CRITICAL). Exploitation of this vulnerability could enable an unauthenticated attacker to gain access to sensitive data, execute administrative operations, change system configurations, or cause service disruption within the impacted systems.
Threat Intelligence assessment
Cisco PSIRT has acknowledged that a Proof-of-concept (PoC) exploit code exists. As of the time of publication, no active exploitation has been observed.
Given the severity and potential impact of this vulnerability, along with the existence of PoC exploit code, we assess that there is a likely risk of exploitation in the near future. This risk is expected to increase in the coming days as threat actors will analyze the CVE in detail and exploit code becomes publicly available.
Affected systems
This vulnerability affects the following versions of Cisco ISE in the default configuration when it is deployed on AWS, Azure, and OCI platforms:
| AWS | 3.1, 3.2, 3.3, and 3.4 |
| Azure | 3.2, 3.3, and 3.4 |
| OCI | 3.2, 3.3, and 3.4 |
Note: Cisco ISE is affected by this vulnerability if the Primary Administration node is deployed in the cloud. Deployments with the Primary Administration node on-premises are not affected.
From Cisco's advisory, products that are not vulnerable include:
- All on-premises deployments with any form factors where artifacts are installed from Cisco Software Download Center (ISO or OVA).
- This includes appliances and virtual machines with different form factors.
- ISE on:
- Azure VMware Solution (AVS)
- Google Cloud VMware Engine
- VMware cloud in AWS
- ISE hybrid deployments with all ISE Administrator personas (Primary and Secondary Administration) on-premises with other personas in the cloud.
Technical details - CVE-2025-20286
This vulnerability arises from insecure static credential generation in cloud-based ISE installations. Specifically, usernames and passwords are deterministically generated based on the ISE version and the underlying cloud platform, such as AWS, Azure, or OCI. This allows attackers to predict and derive valid login credentials.
Only ISE instances running in cloud environments with the Primary Administration Node (PAN) deployed, are affected. On-premises deployments are not vulnerable.
A successful exploit could grant an attacker full administrative access to the ISE system, including the ability to modify configurations and access sensitive data.
Recommendations
Prompt action is crucial to mitigate potential compromise. Cisco has released software updates that address this vulnerability, and we strongly recommend to update all affected systems as soon as possible. Restricting source IPs allowed to communicate with vulnerable instances may help in reducing the attack surface, and reviewing login history for suspicious entries is recommended.