CVE-2025-20285: 
Cisco ISE vulnerability analysis and mitigation

A vulnerability (CVE-2025-20285) was discovered in the IP Access Restriction feature of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC). The vulnerability was disclosed on July 16, 2025, affecting Cisco ISE versions 3.3.0 through 3.4.0 when the IP Access Restriction feature is enabled. This security flaw allows an authenticated, remote attacker to bypass configured IP access restrictions and log in to the device from a disallowed IP address (Cisco Advisory).

The vulnerability stems from improper enforcement of access controls configured using the IP Access Restriction feature. It has been assigned a CVSS v3.1 base score of 4.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N. The vulnerability is classified under CWE-302 (Authentication Bypass by Assumed-Immutable Data) (NVD).

A successful exploitation of this vulnerability could allow an attacker to gain access to the targeted device from an IP address that should have been restricted. However, to exploit this vulnerability, the attacker must possess valid administrative credentials (Cisco Advisory).

Cisco has released software updates to address this vulnerability. The fixed versions include ISE 3.3 Patch 7 and ISE 3.4 Patch 2. There are no workarounds available for this vulnerability, and users are advised to upgrade to the patched versions (Cisco Advisory).

The vulnerability was discovered and reported by Kentaro Kawane of GMO Cybersecurity by Ierae, working with Trend Micro Zero Day Initiative (Cisco Advisory).