Government Warns of Hackers Exploiting Critical Cloud Vulnerability Without Passwords
The National Computer Emergency Team has issued a high-alert advisory regarding a severe security flaw impacting cloud deployments of Cisco Identity Services Engine (ISE). The vulnerability, tracked as CVE-2025-20286, has been rated 9.9 out of 10 on the CVSS scale, indicating its critical severity.
This vulnerability enables unauthenticated remote attackers to gain full administrative control over Cisco ISE instances hosted via Cisco’s official cloud images on Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI). The flaw can lead to total system compromise, unauthorized data access, and bypass of network security policies.
READ MORE:
Gold Prices Dip Slightly While Silver Rates Climb in Domestic and Global Markets
According to the advisory, the vulnerability arises from credential reuse and inadequate session validation in default cloud images provided by Cisco’s marketplace listings. On-premise deployments or manually configured cloud setups are not affected.
The presence of a public proof-of-concept (PoC) exploit further escalates the threat, allowing attackers to target exposed HTTPS management interfaces and execute privileged actions—without any user interaction or credentials.
Exploitation could allow cybercriminals to:
-
Modify or disable critical security policies
-
Access sensitive authentication logs
-
Disable network access controls
-
Move laterally across connected cloud infrastructure
The flaw affects Cisco ISE versions 3.1 through 3.4 deployed using Cisco marketplace images. Its root causes include hard-coded credentials, lax access control validation, and insecure default configurations.
Cisco has acknowledged the issue and released updated secure images in June 2025. Organizations using affected versions are strongly advised to redeploy their ISE instances using these patched images.
In cases where immediate redeployment isn’t feasible, emergency countermeasures include:
-
Restricting external access to the ISE admin interface
-
Using secure VPNs for admin access
-
Enforcing multi-factor authentication (MFA)
-
Isolating vulnerable resources with strict virtual network controls
Additionally, administrators should rotate all credentials linked to vulnerable deployments, inspect logs for unauthorized activity, integrate ISE monitoring with SIEM systems, and initiate forensic investigations if a breach is suspected.
Prompt action is vital to minimize exposure and protect against potential exploitation of this critical cloud vulnerability.
