Cisco Identity Services Engine on Cloud Platforms Static Credential Vulnerability – Source:sec.cloudapps.cisco.com

Critical

Summary

• A vulnerability in Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) cloud deployments of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems.

  This vulnerability exists because credentials are improperly generated when Cisco ISE is being deployed on cloud platforms, resulting in different Cisco ISE deployments sharing the same credentials. These credentials are shared across multiple Cisco ISE deployments as long as the software release and cloud platform are the same. An attacker could exploit this vulnerability by extracting the user credentials from Cisco ISE that is deployed in the cloud and then using them to access Cisco ISE that is deployed in other cloud environments through unsecured ports. A successful exploit could allow the attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems.

  Note: If the Primary Administration node is deployed in the cloud, then Cisco ISE is affected by this vulnerability. If the Primary Administration node is on-premises, then it is not affected.

  Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

  This advisory is available at the following link:
  https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-aws-static-cred-FPMjUcm7

Affected Products

• This vulnerability affects the following releases of Cisco ISE in the default configuration when it is deployed on AWS, Azure, and OCI platforms:

  Platform	Cisco ISE Vulnerable Releases
  AWS	3.1, 3.2, 3.3, and 3.4
  Azure	3.2, 3.3, and 3.4
  OCI	3.2, 3.3, and 3.4

  Note: If the Primary Administration node is deployed in the cloud, then Cisco ISE is affected by this vulnerability. If the Primary Administration node is on-premises, then it is not affected.

  For information about the fixed Cisco software releases, see the Fixed Software section of this advisory.

  Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability.

  This vulnerability does not affect the following deployments of Cisco ISE:

  • All on-premises deployments with any form factors where artifacts are installed from Cisco Software Download Center (ISO or OVA). This includes appliances and virtual machines with different form factors.
  • ISE on Azure VMware Solution (AVS)
  • ISE on Google Cloud VMware Engine
  • ISE on VMware cloud in AWS
  • ISE hybrid deployments with all ISE Administrator personas (Primary and Secondary Administration) on-premises with other personas in the cloud.

Details

• The credentials that exist in Cisco ISE that is deployed in the cloud are specific to each release and platform. For example:

  • All instances of Release 3.1 on AWS will have the same static credentials.
  • Credentials that are valid for access to a Release 3.1 deployment would not be valid to access a Release 3.2 deployment on the same platform.
  • Release 3.2 on AWS would not have the same credentials as Release 3.2 on Azure.

Workarounds

• There are no workarounds that address this vulnerability. However, there are mitigations:

  • Allow source IPs that use Cloud Security Groups: Allowing the source IP addresses of Customer Administrators that use security groups on cloud platforms restricts access exclusively to authorized administrators before traffic reaches the Cisco ISE instance, effectively blocking any potentially malicious connections.
  • Allow source IPs at Cisco ISE: In the Cisco ISE UI, allow the source IP addresses of Customer Administrators.

  For fresh installations, run the application reset-config ise to reset user passwords to a new value. Running the application reset-config ise command is required only on the Primary Administration persona node in the cloud. There is no need to reset secondary nodes. If the Primary Administration persona is on-premises, running the command is not required.

  Warnings:

  • Running the application reset-config ise command will reset Cisco ISE to the factory configuration. For details, see the Cisco ISE Configuration Guide.
  • Restoring a backup will restore the original credentials.

  While these mitigations have been deployed and were proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.

Fixed Software

• Cisco has released free software updates that address the vulnerability described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels.

  Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
  https://www.cisco.com/c/en/us/products/end-user-license-agreement.html

  Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.

  The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool.

  When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page, to determine exposure and a complete upgrade solution.

  In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

  Customers Without Service Contracts

  Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

  Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.

  Fixed Releases

  In the following table, the left column lists Cisco software releases. The middle column indicates the hot fix available for that release and the right column indicates the first fixed release for the vulnerability. Customers are advised to upgrade to an appropriate fixed software release as indicated in this section.

  Cisco ISE Release	Hot Fix	First Fixed Release
  3.1	ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz This hot fix applies to Releases 3.1 through 3.4.	Migrate to a fixed release.
  3.2	ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz This hot fix applies to Releases 3.1 through 3.4.	Migrate to a fixed release.
  3.3	ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz This hot fix applies to Releases 3.1 through 3.4.	3.3P8 (November 2025)
  3.4	ise-apply-CSCwn63400_3.1.x_patchall-SPA.tar.gz This hot fix applies to Releases 3.1 through 3.4.	3.4P3 (October 2025)
  3.5	Not applicable.	Planned release (Aug 2025)

  The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory.

Exploitation and Public Announcements

• The Cisco PSIRT is aware that proof-of-concept exploit code is available for the vulnerability that is described in this advisory.

  The Cisco PSIRT is not aware of any malicious use of the vulnerability that is described in this advisory.

Source

• Cisco would like to thank Kentaro Kawane of GMO Cybersecurity by Ierae for reporting this vulnerability.

Cisco Security Vulnerability Policy

• To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

• Subscribe

Related to This Advisory

URL

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-aws-static-cred-FPMjUcm7

Revision History

• Version	Description	Section	Status	Date
  1.1	Added future fix information.	Fixed Releases	Final	2025-JUN-04
  1.0	Initial public release.	–	Final	2025-JUN-04

  Show Less

Feedback

• Leave additional feedback