Cisco has released updates to deal with two crucial safety flaws Identification Providers Engine (ISE) that would enable distant attackers to execute arbitrary instructions and elevate privileges on prone gadgets.
The vulnerabilities are listed under –
- CVE-2025-20124 (CVSS rating: 9.9) – An insecure Java deserialization vulnerability in an API of Cisco ISE that would allow an authenticated, distant attacker to execute arbitrary instructions as the foundation person on an affected machine.
- CVE-2025-20125 (CVSS rating: 9.1) – An authorization bypass vulnerability in an API of Cisco ISE may may allow an authenticated, distant attacker with legitimate read-only credentials to acquire delicate data, change node configurations, and restart the node
An attacker may weaponize both of the failings by sending a crafted serialized Java object or an HTTP request to an unspecified API endpoint, resulting in privilege escalation and code execution.
Cisco stated the 2 vulnerabilities should not depending on each other and that there aren’t any workarounds to mitigate them. They’ve been addressed within the under variations –
- Cisco ISE software program launch 3.0 (Migrate to a hard and fast launch)
- Cisco ISE software program launch 3.1 (Fastened in 3.1P10)
- Cisco ISE software program launch 3.2 (Fastened in 3.2P7)
- Cisco ISE software program launch 3.3 (Fastened in 3.3P4)
- Cisco ISE software program launch 3.4 (Not susceptible)
Deloitte safety researchers Dan Marin and Sebastian Radulea have been credited with discovering and reporting the vulnerabilities.
Whereas the networking gear main stated it is not conscious of any malicious exploitation of the failings, customers are suggested to maintain their techniques up-to-date for optimum safety.
Source link