CVE-2025-20124
Published: 05 February 2025
Description
A vulnerability in an API of Cisco ISE could allow an authenticated, remote attacker to execute arbitrary commands as the root user on an affected device. This vulnerability is due to insecure deserialization of user-supplied Java byte streams by the affected software. An attacker could exploit this vulnerability by sending a crafted serialized Java object to an affected API. A successful exploit could allow the attacker to execute arbitrary commands on the device and elevate privileges. Note: To successfully exploit this vulnerability, the attacker must have valid read-only administrative credentials. In a single-node deployment, new devices will not be able to authenticate during the reload time.
Security Summary
CVE-2025-20124 is a critical vulnerability in an API of Cisco Identity Services Engine (ISE), caused by insecure deserialization of user-supplied Java byte streams in the affected software. This deserialization flaw allows an authenticated, remote attacker to execute arbitrary commands as the root user on impacted devices. The vulnerability carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H) and is associated with CWE-502 (Deserialization of Untrusted Data). It was published on 2025-02-05.
An attacker requires valid read-only administrative credentials to exploit the vulnerability remotely over the network with low complexity and no user interaction. By sending a crafted serialized Java object to the affected API, the attacker can achieve arbitrary command execution on the device and privilege escalation to root. In single-node ISE deployments, exploitation may disrupt authentication for new devices during reload periods.
Cisco has issued a security advisory addressing this and related vulnerabilities in ISE at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-multivuls-FTW9AOXF, which provides details on affected versions and recommended mitigation steps.
Details
- CWE(s)