Forwarded by Taiwan Computer Crisis and Coordination Center TWCERTCC-200-202507-00000012

[Content Description]
Cisco's Identity Services Engine (ISE) is an identity-based security management platform that collects information from the network and user devices, and implements policies and makes regulatory decisions in the network infrastructure. Cisco released a major security vulnerability announcement (CVE-2025-20337, CVSS: 10.0) and released an updated version. This vulnerability exists in a specific API of Cisco ISE and Cisco ISE-PIC. Attackers can exploit this vulnerability without any valid credentials, allowing unauthenticated remote attackers to execute arbitrary code on the underlying operating system as root.

[Influence Platform]
Cisco ISE and ISE-PIC 3.3, 3.4

[Suggested measures]
Follow the official website to release the solution and patch: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6

[References]
https://www.twcert.org.tw/tw/cp-169-10251-d9034-1.html