Cisco has released fixes for two critical vulnerabilities (CVE-2025-20124 and CVE-2025-20125) in its Identity Services Engine (ISE) platform, a widely used identity and access management solution.
The first flaw stems from insecure deserialization of Java byte streams, allowing attackers with read-only admin access to execute arbitrary commands as root. The second vulnerability involves improper authorization and data validation, enabling malicious HTTP requests to modify configurations or reload systems.
Cisco advises administrators to upgrade or migrate ISE appliances to secure versions immediately.
Although there is no evidence of exploitation or public exploit code, the flaws were identified by Deloitte security researchers.
In addition to ISE vulnerabilities, Cisco warned of denial-of-service (DoS) risks in IOS, IOS XE, and NX-OS software, with fixes planned for early 2025.
The company has previously addressed other high-severity security flaws, including privilege escalation and root command execution vulnerabilities.
Read more...