Critical Cisco ISE Vulnerabilities Under Active Exploitation, Enabling Unauthenticated Root Access

Cisco has confirmed the active exploitation of three unauthenticated remote code execution (RCE) vulnerabilities in its Identity Services Engine (ISE) and ISE-Passive Identity Connector (ISE-PIC). These vulnerabilities enable attackers to gain root access through HTTPS API requests or file downloads without authentication. The affected versions include ISE/ISE-PIC 3.3 and 3.4, with patches available for mitigation. According to the source, exploits began in July 2025, with automated scans and weaponized proof-of-concept (PoC) exploits circulating on exploit forums. The technical implications are severe, as unauthenticated RCE vulnerabilities allow attackers to take full control of the system without prior access. Given ISE's role in security policy management, a compromise could lead to manipulation of authentication and authorization policies, facilitating lateral movement and data exfiltration. The impact on the cybersecurity landscape is significant due to ISE's widespread use in enterprise environments. The availability of weaponized PoCs lowers the barrier for exploitation, increasing the risk of widespread attacks. Cybersecurity professionals should prioritize patching affected systems and monitor network traffic for signs of exploitation attempts, such as unusual API requests or file download patterns. This situation underscores the importance of timely patch management and robust network monitoring to mitigate the risks posed by such critical vulnerabilities.