CVE-2025-20286: Critical vulnerability in Cisco Identity Services Engine on Cloud Platforms Static Credential Vulnerability
CVSS 3.0 score: 9.9
A critical vulnerability in Cisco ISE has been recently disclosed, allowing an unauthorized attacker to extract user credentials from the Cisco ISE deployment. This leads to the attacker being able to access sensitive data, execute limited administrative operations, change system configurations, or modify services within the impacted systems.
The currently affected versions are:
- AWS 3.1, 3.2, 3.3, and 3.4
- Azure 3.2, 3.3, and 3.4
- OCI 3.2, 3.3, and 3.4
Note: Deployments are only vulnerable when the Primary Administration node is deployed in the cloud. If the Primary Administration node is deployed on-prem, then it is not affected.
According to Cisco themselves, this vulnerability does not affect the following types of deployments:
- All on-premises deployments with any form factors where artifacts are installed from Cisco Software Download Center (ISO or OVA). This includes appliances and virtual machines with different form factors.
- ISE on Azure VMware Solution (AVS)
- ISE on Google Cloud VMware Engine
- ISE on VMware cloud in AWS
- ISE hybrid deployments with all ISE Administrator personas (Primary and Secondary Administration) on-premises with other personas in the cloud.
The issue is caused by Cisco ISE generating credentials improperly during deployment on cloud platforms leading to the same credentials being generated across multiple different Cisco ISE deployments with the same software release.
Hotfix patches have been released by Cisco to address this vulnerability as well as a mitigation guide. Integrity360 recommends running the hotfix patch provided by Cisco, however, if it is not possible, there is a mitigation workaround guide provided below.
Cisco have issued the following mitigation guidance:
- There are no workarounds that address this vulnerability. However, there are mitigations:
- Allow source IPs that use Cloud Security Groups: Allowing the source IP addresses of Customer Administrators that use security groups on cloud platforms restricts access exclusively to authorized administrators before traffic reaches the Cisco ISE instance, effectively blocking any potentially malicious connections.
- Allow source IPs at Cisco ISE: In the Cisco ISE UI, allow the source IP addresses of Customer Administrators.
For fresh installations, run the application reset-config ise to reset user passwords to a new value. Running the application reset-config ise command is required only on the Primary Administration persona node in the cloud. There is no need to reset secondary nodes. If the Primary Administration persona is on-premises, running the command is not required.
Warnings:
- Running the application reset-config ise command will reset Cisco ISE to the factory configuration. For details, see the Cisco ISE Configuration Guide.
- Restoring a backup will restore the original credentials.
While these mitigations have been deployed and were proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.
There are no known public exploits for this vulnerability, however that may shortly change. If you have a vulnerable device that you believe may be compromised, contact the Integrity360 Incident Response team immediately via the Under Attack button on our website.