Cisco Patches Critical Flaw in Identity Services Engine Affecting Azure, AWS, and Oracle Cloud

Cisco has released patches for three critical vulnerabilities affecting its Identity Services Engine (ISE) and Customer Collaboration Platform (CCP), including one high-risk flaw with a publicly available proof-of-concept (PoC) exploit. Tracked as CVE-2025-20286, CVE-2025-20130, and CVE-2025-20129, these vulnerabilities pose significant threats to cloud-based deployments and user data security.

Shared credentials put multiple deployments at risk

According to Cisco, CVE-2025-20286 is a static credential vulnerability with a CVSS score of 9.9. It primarily affects ISE cloud deployments in AWS, Azure, and Oracle Cloud Infrastructure (OCI). This security flaw could allow unauthorized users to access sensitive data, execute limited administrative operations, and modify system configurations.

This vulnerability stems from the improper generation of login credentials when ISE is deployed on cloud platforms. Consequently, different Cisco ISE deployments share the same credentials.

“These credentials are shared across multiple Cisco ISE deployments as long as the software release and cloud platform are the same,” Cisco explained. “An attacker could exploit this vulnerability by extracting the user credentials from Cisco ISE that is deployed in the cloud and then using them to access Cisco ISE that is deployed in other cloud environments through unsecured ports.”

This security flaw is exploitable only if the Primary Administration node is deployed in the cloud. A threat actor (hacker) might be able to access the ISE instance due to exposure to the internet or misconfigurations typical in cloud environments. If the PAN is on-premises, then the instance is not vulnerable to the specific threat.

No workaround available – patch immediately

Cisco notes that this vulnerability affects AWS (Amazon Web Services) versions 3.1, 3.2, 3.3, and 3.4; Azure versions 3.2, 3.3, and 3.4; and Oracle Cloud Infrastructure versions 3.2, 3.3, and 3.4. However, there is currently no evidence that this vulnerability has been exploited in the wild.

As of this writing, Cisco has not provided any workaround to help organizations address this vulnerability. The company advises IT administrators to apply the patch immediately within enterprise environments.

Cisco has also patched the CVE-2025-20129 vulnerability found in the web-based chat interface of Cisco’s Customer Collaboration Platform (CCP). It could allow an unauthenticated user to trick the victim into sharing sensitive information. Essentially, threat actors could exploit this flaw by sending specially crafted HTTP requests to the chat interface of a user on a vulnerable server.

Lastly, Cisco has addressed the CVE-2025-20130 flaw that also affects ISE and Cisco ISE Passive Identity Connector (ISE-PIC). It could allow an attacker with admin privileges to upload files to a compromised device. This vulnerability could be exploited by sending a crafted file upload request to a specific API endpoint.