Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2025-20286
CVE-2025-20286:
Cisco ISE vulnerability analysis and mitigation
Overview
A critical vulnerability (CVE-2025-20286) was discovered in Cisco Identity Services Engine (ISE) cloud deployments affecting Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI). The vulnerability was disclosed on June 4, 2025, with a CVSS score of 9.9. The flaw affects ISE versions 3.1 through 3.4 on AWS, versions 3.2 through 3.4 on Azure and OCI, specifically when the Primary Administration node is deployed in the cloud (Cisco Advisory).
Technical details
The vulnerability stems from improperly generated credentials during cloud deployment, causing different Cisco ISE deployments to share the same static credentials across instances running on the same platform and software release. For example, all instances of Release 3.1 on AWS share identical static credentials, though these credentials are not valid across different platforms or releases. The vulnerability is identified as CWE-259 (Use of Hard-coded Password) and received a Critical CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:H) (NVD, Cisco Advisory).
Impact
A successful exploitation could allow an unauthenticated, remote attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems. The vulnerability only affects deployments where the Primary Administration node is in the cloud; on-premises deployments are not impacted (Arctic Wolf, Cisco Advisory).
Mitigation and workarounds
While there are no direct workarounds for the vulnerability, Cisco recommends several mitigation steps: 1) Upgrade to the latest fixed releases (3.3P8 for version 3.3 and 3.4P3 for version 3.4), 2) Restrict access to the ISE instance by allowing only trusted source IP addresses via cloud security groups, 3) Use the 'application reset-config ise' command for fresh installations to reset default credentials. Note that running this command will reset the system to factory defaults, and restoring from backups taken before the fix will restore the vulnerable state (Cisco Advisory).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management