A Cisco vulnerability could affect cloud deployments of Cisco Identity Services Engine (ISE) in certain systems. This vulnerability, labelled CVE-2025-20286, has a CVSS score of 9.9 out of 10.0 and impacts Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) cloud deployments. 

This flaw could enable a malicious actor to gain access to sensitive data, enact limited administrative operations, alter system configurations, or disturb services within the impacted systems. This vulnerability has been described as a static credential flaw. Security patches have been released, and there is no indication that the flaw was exploited in the wild. 

Below, security leaders discuss this vulnerability. 

Security Leaders Weigh In 

James Maude, Field CTO at BeyondTrust:

Just when you thought the days of dealing with vendors using common default credentials were gone, or at least confined to the world of budget IoT devices, something like CVE-2025-20286 comes along and surprises you. While the credentials in this case are not entirely static, they are shared when the software release and cloud platform are the same. This provides an opportunity to extract credentials from one deployment and use them to access others, making this a top priority to remediate, ideally by applying the hot fixes released as these also cover other vulnerabilities.

This only adds to the struggles organizations already have with detecting and mitigating identity-based attacks. Unlike malware and software exploitation compromising an identity or account, and simply logging in, rather than hacking in, it is hard to defend against. The risk of that identity compromise is then dependent on the paths to privilege it has. In this case, it allows access to data, some administrative operations, and the ability to change system configurations. It is an significant reminder of the importance of having visibility over all identities to proactively adopt least privilege approaches using Just-in-Time (JIT) access as well as being able to monitor privileged accounts and identity infrastructure for abuse.

While Cisco are actively working with customers to address this vulnerability through hot fixes there are likely organizations who have purchased through third-parties and are unaware of the issue. As with any cloud system which forms part of your critical infrastructure restricting traffic to authorized IP ranges and ideally usings secure remote access solutions can greatly reduce the attack surface and help mitigate risks. Where possible organizations should consider running the application reset command to generate a new password value, however this will also reset Cisco ISE to the factory settings and so may not be possible.

Rom Carmel, Co-Founder and CEO at Apono:

This is yet another example of how authentication failures can leave organizations vulnerable. While authentication is a critical first step, real security comes from layered defenses — what we call defense in depth. In the cloud, access privileges are the keys to the kingdom. Every identity, human or non-human, with standing privileged access increases your exposure. Security leaders should work to minimize standing privileges and adopt a least-privilege model to reduce risk, especially in the event of an account takeover.

Will Bailey, Senior Cyber Defender at Ontinue:

Given that this CVE affects Cisco ISE deployments across a compact range of cloud infrastructures and, if successfully exploited, could quite easily lead to serious data breaches, security teams should treat this as an immediate priority. Remediation currently involves applying Cisco’s latest security updates to all affected ISE instances and restricting administrative access to trusted IP addresses via cloud security groups or firewall rules. With proof-of-concept exploits already in circulation, any delay in action increases the risk of service disruption, data compromise, or unauthorized system changes.