What is CVE-2025-20282?

CVE-2025-20282 is a critical-severity vulnerability in Cisco Identity Services Engine Software, classified under Improper Privilege Management. CVSS score: 10.0/10. Published 2025-06-25.

How severe is CVE-2025-20282?

Critical severity. CVSS v3 base score is 10.0 out of 10.

Is CVE-2025-20282 known to be exploited?

5 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Privilege escalation in Cisco Identity Services Engine Software

CVE-2025-20282

A vulnerability in an internal API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device and then execute those files on the underlying operating system as root. T…

Vulnerability class: Privilege Escalation

EPSS: 0.006 (69.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 10.0 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.

Affected products

Cisco Identity Services Engine Software — versions 3.4.0, 3.4 Patch 1

Weakness classification (CWE)

CWE-269 — Improper Privilege Management

Public proof-of-concept exploits

References

cisco-sa-ise-unauth-rce-ZAd2GnJ6

Frequently asked questions

What is CVE-2025-20282?: CVE-2025-20282 is a critical-severity vulnerability in Cisco Identity Services Engine Software, classified under Improper Privilege Management. CVSS score: 10.0/10. Published 2025-06-25.
How severe is CVE-2025-20282?: Critical severity. CVSS v3 base score is 10.0 out of 10.
Is CVE-2025-20282 known to be exploited?: 5 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.