Cisco has rolled out a fix for a major flaw (CVE-2025-20286, rated 9.9 in severity) in its Identity Services Engine (ISE), especially when run in cloud environments like AWS, Azure, and Oracle Cloud.
The issue involves built-in credentials that don’t change between installation which could let attackers remotely access systems without logging in, potentially exposing sensitive data or letting them mess with setting and services.
The issue comes down to hardcoded credentials that are reused in cloud-based ISE setups. If you’re running the same ISE version on, say, AWS, the login credentials will be the same across all deployments. That means someone who gets access to one environment could potentially use the same info to break into others-especially if unsecured ports are left open.
Cisco credited Kentaro Kawane from GMO Cybersecurity for uncovering the flaw and confirmed that a working proof-of-concept exists, though there’s no evidence it’s been used in real attacks yet. The risk applies only to setups where the main admin node runs in the cloud; if you’re running ISE on-premises, you’re in the clear.
The affected versions include:
- AWS: ISE versions 3.1 through 3.4
- Azure: ISE versions 3.2 to 3.4
- Oracle Cloud: ISE versions 3.2 to 3.4
At the moment, Cisco hasn’t offered any official workaround. The company suggests limiting access to trusted admins or doing a full reset using the application reset-config ise command, but it should be noted that it will wipe everything and return the system to its original state. The safest bet is to install the security updates right away to avoid any possible threats.
