CVE-2025-20304: 
Cisco ISE vulnerability analysis and mitigation

Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface. The vulnerability (CVE-2025-20304) was disclosed on November 5, 2025, and affects Cisco ISE and ISE-PIC systems across multiple versions (Cisco Advisory).

The vulnerability stems from insufficient validation of user-supplied input by the web-based management interface of affected systems. The CVSS Base Score is 5.4 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. To exploit this vulnerability, an attacker must have at least a low-privileged account on the affected device (Cisco Advisory, NVD).

A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. The vulnerability affects confidentiality and integrity with low impact, while having no impact on availability (Cisco Advisory).

Cisco has released software updates that address this vulnerability. The fixed releases include ISE version 3.2 Patch 8 (Dec 2025), 3.3 Patch 8 (Nov 2025), and 3.4 Patch 4. Version 3.5 is not vulnerable. There are no workarounds available for this vulnerability (Cisco Advisory).

Cisco acknowledges Grzegorz Misiun of ING Hubs Poland for reporting this vulnerability (Cisco Advisory).