The CVE – 2025-20281 vulnerability is within the Cisco Identity Services Engine (ISE) system, a network access management platform widely used in businesses. Although the vulnerability was warned by Cisco in late June and a patch was released, the details of the exploit were “warning bells” for systems that had not yet been updated.
Two related security vulnerabilities exist:
-
CVE – 2025-20281: Command injection error allowing the attacker to send special data, which in turn executes the system command.
-
CVE-2025 – 20337: An unsafe deserialization error, making the data processing software unsafe, paving the way for malicious code to enter.
The only thing that’s particularly dangerous is that the hacker doesn’t need an account or authentication at all, just having access to the system can upload the malicious file and execute it with root access.
In the attack process publication, experts described a complete attack sequence:
-
Send a serialized Java payload to take advantage of the deserialization error.
-
Enable commands via the Java Runtime.exec() function.
-
Use ${IFS} (special character instead of whitespace) to bypass arguments formatting errors when running commands.
-
From there, gain root access in the Docker container running the Cisco ISE.
-
Then use a common escape technique based on cgroups and release agent to escape Docker and gain root access on the physical server system.
While the article does not provide any existing mining script, all the techniques and payloads are sufficient to enable the skilled hacker to rebuild the attack engine on his own.
Cisco has confirmed both breaches are being exploited in real life. They influenced versions of ISE 3.3 and 3.4 (both ISe-PIC). From corporate network systems, government organizations to service providers, all run the risk if not updated.
With the CVE – 2025-20281 vulnerability in Cisco ISE, hackers need not send fraudulent emails, no login accounts, no user interaction. This is a vulnerability on the network service where hackers can send data directly from a distance to the system that is opening the ISE service portal.
When a Cisco ISE system has a vulnerability and the patch has not been updated, hackers can perform attacks in the following sequence:
Step 1: Send “trapping” data to the system
-
The attacker sends a special piece of data (called a payload) to the Cisco ISE. This data is “packaged” in such a way that the system will erroneously treat it as valid.
-
While the data is legitimate, the system opens and executes itself (this is called deserialization and injection).
-
Through that data, hackers insert system commands into servers running ISE and these commands are run with root access (i.e., top – of – the – system access).
-
With root access, hackers can do anything: install software, modify system files, add hidden accounts, etc..
Cisco ISE typically runs inside a protected environment called a Docker container. But hackers don’t stop there. They use an advanced technique to exit Docker and reach the host machine that controls the entire server.Step 4: Permission and control of the entire internal network
-
After escaping the protective layer, the hacker may:
-
Install spyware or malicious code at your disposal.
-
Get login information for employees, systems, and devices.
-
Monitoring or recording network activity, forging users.
-
Extension of attack to other systems in the same internal network (lateral movement).
In other words, from a small error in the way the data is processed, hackers can sneak into the system, break through the layers of protection, and eventually take control of the entire network infrastructure like a real administrator.
There is no workaround. The only solution is to update to the latest patches:
-
ISE 3.3 Patch 7
-
ISE 3.4 Update to Patch 2
-
Check for unusual access in the system logs.
-
Monitor Docker container operations and high-level process.
-
Restrict external access to the ISE if not absolutely necessary.
The CVE – 2025-20281 vulnerability in Cisco ISE is a good example of how hackers can exploit weaknesses in corporate network systems to take full control. The fact that a researcher publicly detailed the attack technique further increased the risk of exploitation.
Don’t wait for an incident to occur. Check your Cisco ISE system immediately and apply the patch as soon as possible. In the online world, one beat down is a sec at the expense of the entire system.
