CVE-2025-20124

CRITICAL

Cisco Identity Services Engine - Authenticated Remote Code Execution via Insecure Java Deserialization

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2025-20124. PoCs published by İbrahimsql, Yuri08loveElaina, ftz7.

AI-analyzed exploit summary This exploit targets a Java deserialization vulnerability in Cisco ISE 3.0, allowing remote code execution via a crafted payload sent to the API endpoint. It requires an authenticated session token and constructs a base64-encoded serialized payload to execute arbitrary commands.

Description

A vulnerability in an API of Cisco ISE could allow an authenticated, remote attacker to execute arbitrary commands as the root user on an affected device. This vulnerability is due to insecure deserialization of user-supplied Java byte streams by the affected software. An attacker could exploit this vulnerability by sending a crafted serialized Java object to an affected API. A successful exploit could allow the attacker to execute arbitrary commands on the device and elevate privileges. Note: To successfully exploit this vulnerability, the attacker must have valid read-only administrative credentials. In a single-node deployment, new devices will not be able to authenticate during the reload time.

Exploits (3)

exploitdb WORKING POC
by İbrahimsql · pythonremotemultiple
https://www.exploit-db.com/exploits/52396

This exploit targets a Java deserialization vulnerability in Cisco ISE 3.0, allowing remote code execution via a crafted payload sent to the API endpoint. It requires an authenticated session token and constructs a base64-encoded serialized payload to execute arbitrary commands.

Classification
Working Poc 80%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Cisco ISE 3.0
Auth required
Prerequisites: Authenticated session token · Access to the target API endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by Yuri08loveElaina · poc
https://github.com/Yuri08loveElaina/CVE-2025-20124_and_CVE-2025-20125

This repository contains a Python-based exploit for CVE-2025-20124 (Java deserialization RCE) and CVE-2025-20125 (authorization bypass) in Cisco ISE. The exploit includes functionality to execute commands via deserialization and bypass authentication for configuration changes.

Classification
Working Poc 80%
Attack Type
Rce | Auth Bypass | Deserialization
Complexity
Moderate
Reliability
Theoretical
Target: Cisco ISE
Auth required
Prerequisites: Authenticated ISE session token · Java deserialization gadget chain
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by ftz7 · poc
https://github.com/ftz7/Cisco-ISE-3.0---Remote-Code-Execution-RCE-

This repository contains a Python-based exploit for CVE-2025-20124, targeting a Java deserialization vulnerability in Cisco ISE 3.0. The exploit sends a crafted serialized object to an internal endpoint, allowing remote command execution on the target system.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Cisco Identity Services Engine (ISE) 3.0
Auth required
Prerequisites: Valid session token · Access to the vulnerable endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 9.9
EPSS 0.1628
EPSS Percentile 96.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-502
Status published
Products (4)
cisco/identity_services_engine 3.1.0 (10 CPE variants)
cisco/identity_services_engine 3.2.0 (7 CPE variants)
cisco/identity_services_engine 3.3.0 (4 CPE variants)
cisco/identity_services_engine < 3.1
Published Feb 05, 2025
Tracked Since Feb 18, 2026