An advisory, regarding a warning about about a critical authentication bypass vulnerability, has been issued by the National Computer Emergency Team. According to the team, the problem affecting the Cisco Identity Services Engine (ISE) cloud deployments.
The defect is tracked as CVE-2025-20286 and rated 9.9 (Critical) on the CVSS scale. It allows unauthenticated attackers to obtain full administrative access to ISE instances deployed through official Cisco cloud images on Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI).
The exposure poses a serious risk of complete system failure, unauthorized data breach, and network policy bypass. According to the advisory, the weakness stems from credential reuse and improper session validation across cloud-based Cisco ISE images.
This issue affects systems deployed through Cisco’s official marketplace contributions. However, it does not apply to on-premises setups or custom cloud configurations where the Primary Administration Node has been manually set up.
A publicly available proof-of-concept (PoC) exploit significantly increases the threat level, enabling attackers to remotely connect to the exposed HTTPS management interface and execute privileged operations without any user interaction.
If exploited, attackers could reconfigure security settings, disable policy enforcement, retrieve sensitive authentication or identity logs, and navigate across the cloud environment by leveraging exposed or compromised login credentials.
The attack complexity is low, requires no prior access or credentials, and can be carried out entirely over the internet, making it a high-priority concern for organizations using affected ISE versions.
According to the advisory, the affected versions include Cisco ISE 3.1 through 3.4 deployed on AWS, Azure, and OCI. The root causes include hard-coded credentials, lack of proper access control validation, and insecure default configurations in Cisco’s marketplace-provided images.
Cisco has acknowledged the vulnerability and released updated images in June 2025 that are considered secure if properly deployed.
Organizations are strongly advised to redeploy affected instances using the updated Cisco images. Where immediate replacement is not possible, emergency measures include restricting external access to the ISE admin interface, routing access through secure VPNs, enforcing MFA, and isolating cloud resources using virtual network controls.
Administrators should also rotate any credentials or access keys associated with the vulnerable instances. Security teams are urged to analyze ISE logs for unauthorized access attempts, integrate monitoring with SIEM platforms, and initiate forensic reviews where compromise is suspected.
Rapid response is essential to minimize risk, protect organizational assets, and prevent potential exploitation of this critical vulnerability.