Pakistan’s National Computer Emergency Team has issued a high-priority advisory concerning a critical cloud vulnerability impacting Cisco Identity Services Engine (ISE) deployments. The flaw, identified as CVE-2025-20286 and assigned a severity score of 9.9 on the CVSS scale, enables unauthenticated attackers to gain full administrative privileges on affected ISE instances hosted through official Cisco images in major public clouds, including Amazon Web Services, Microsoft Azure, and Oracle Cloud Infrastructure.
This authentication bypass vulnerability introduces a significant risk to enterprise cloud deployments using Cisco’s marketplace offerings. According to the advisory, the issue arises from improper session validation and reuse of hard-coded credentials, making it possible for remote attackers to access the HTTPS management interface without credentials. Once inside, attackers can perform privileged actions, manipulate configurations, disable security policies, and exfiltrate sensitive identity and authentication data.
The threat is compounded by the existence of a publicly available proof-of-concept exploit, which reduces the barrier for malicious actors to target exposed systems. The vulnerability specifically impacts Cisco ISE versions 3.1 through 3.4 that have been deployed through the official marketplace images on AWS, Azure, and OCI. However, it does not affect custom-deployed or on-premise instances, particularly those where the Primary Administration Node was manually configured, offering some mitigation for certain deployment models.
The advisory highlights the low complexity of the attack, requiring no prior access or insider credentials. The flaw can be exploited remotely over the internet, increasing the urgency for immediate security action. Exploitation could allow attackers to bypass network enforcement rules, escalate privileges, and move laterally within affected cloud environments. Shared or leaked credentials may further aid in the exploitation process, particularly in cases where environments lack strict access segregation.
Cisco has acknowledged the vulnerability and released updated cloud deployment images as of June 2025. These images address the core issues and are considered secure, provided they are configured and deployed correctly. Organizations are advised to redeploy affected instances using the updated versions. Where immediate updates are not feasible, temporary mitigation steps include restricting external access to ISE administrative interfaces, enforcing VPN tunnels, enabling multi-factor authentication, and applying strict virtual network access controls to isolate cloud resources.
Security administrators are further encouraged to rotate all access credentials related to the compromised instances and monitor Cisco ISE logs for signs of unauthorized access. Integration with Security Information and Event Management systems is recommended to enhance detection capabilities. In cases where exploitation is suspected, forensic investigation and incident response procedures should be promptly initiated to limit impact and recover control.
This advisory serves as a reminder of the critical need for continuous monitoring, timely patching, and adherence to cloud security best practices, especially when deploying infrastructure through public marketplaces. With enterprise dependence on hybrid and multi-cloud setups continuing to grow, vulnerabilities like this one underscore the importance of proactive defense strategies.
