Cisco Identity Services Engine Software - RCE (CVE-2025-20281)

CVE-2025-20281 is a critical vulnerability in Cisco Identity Services Engine (ISE) and ISE-PIC that allows unauthenticated, remote attackers to execute arbitrary code as root on the underlying operating system. By exploiting insufficient input validation in a specific API, attackers can send crafted requests to gain full control over affected devices without needing credentials. This flaw poses a severe risk, enabling complete system compromise and potentially facilitating further attacks within the network.

CrowdSec has been tracking this vulnerability and its exploits since 13th of August 2025.

CrowdSec network data shows that most actors exploiting CVE-2025-20281 rely on broad, untargeted scans with minimal filtering. The activity is largely automated and opportunistic in nature. Additionally, according to week-over-week analysis by CrowdSec, exploitation of CVE-2025-20281 is surging. Attack volumes are spiking well above historical norms, indicating widespread and escalating interest from threat actors. CVE-2025-20281 is currently experiencing high visibility and active exploitation across the internet.

Attackers exploit the Cisco ISE ERS API by sending unauthenticated POST requests to URLs containing /ers/sdk, injecting arbitrary OS commands into the name field of the JSON payload to achieve remote code execution as root.