Watch out, another max-severity, make-me-root Cisco bug on the loose – Source: go.theregister.com

Cisco has issued a patch for a critical 10 out of 10 severity bug in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that could allow an unauthenticated, remote attacker to run arbitrary code on the operating system with root-level privileges. 

ISE is a network access control and security policy management platform, and ISE-PIC centralizes identity management across security tools. And this vulnerability, tracked as CVE-2025-20337, is about the worst of the worst, allowing miscreants to take total control of compromised computers easily. In other words – patch now.

The vendor disclosed CVE-2025-20337 on Wednesday in an update to a June security advisory about two other max-severity flaws in the same products. The new bug is related to CVE-2025-20281, one of the two disclosed in June, which also received a 10 CVSS rating and affects ISE and ISE-PIC releases 3.3 and 3.4, regardless of device configuration. 

“These vulnerabilities are due to insufficient validation of user-supplied input,” Cisco noted. “An attacker could exploit these vulnerabilities by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device.”

There are no workarounds, but Cisco has released a software update that fixes both flaws, along with another critical-rated bug tracked as CVE-2025-20282 disclosed in June.

The vendor noted that since the original publication of the security advisory last month, “improved fixed releases have become available” and customers should upgrade as follows:

• If Cisco ISE is running Release 3.4 Patch 2, no further action is necessary.
• If Cisco ISE is running Release 3.3 Patch 6, additional fixes are available in Release 3.3 Patch 7, and the device must be upgraded.
• If Cisco ISE has either hot patch ise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gz or hot patch ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz installed, Cisco recommends upgrading to Release 3.3 Patch 7 or Release 3.4 Patch 2. The hot patches did not address CVE-2025-20337.

Cisco credited Bobby Gould of Trend Micro Zero Day Initiative with reporting CVE-2025-20281, and Kentaro Kawane of GMO Cybersecurity by Ierae, working with ZDI, for both CVE-2025-20282 and CVE-2025-20337.

Dustin Childs, head of threat awareness at ZDI, told The Register that CVE-2025-20281 and CVE-2025-20337 are different, albeit similar, vulnerabilities. 

“After viewing the patch fixes for CVE-2025-20281 and CVE-2025-20337, it became evident that these should have been assigned two separate CVEs,” he said. “The fixes were in different sections of code even though the bug type itself was identical.”

• Cisco fixes two critical make-me-root bugs on Identity Services Engine components
• Cisco scores a perfect 10 – sadly for a critical flaw in its comms platform
• Crims hijacking fully patched SonicWall VPNs to deploy stealthy backdoor and rootkit
• CVSS 10 RCE in Wing FTP exploited within 24 hours, security researchers warn

There are no known exploits — yet — for any of these vulnerabilities, according to Cisco. But it’s very hard for both ethical security researchers and criminals alike to resist poking make-me-root security holes, so we’d expect to see both proof-of-concept and in-the-wild exploits soon.

“It’s certainly concerning – especially since the bug rates a CVSS score of 10,” Childs said, referring to the newly disclosed CVE. “It will likely be targeted by threat actors, but to date, we are not aware of any exploitation in the wild.”

Earlier this month, Cisco scored another perfect 10 for a different vulnerability, this one in its Unified Communications Manager and Session Management Edition products. The Engineering-Special (ES) builds of both have hardcoded credentials baked in, and would allow an unauthenticated, remote attacker root access. ®