CVE-2025-20125

CRITICAL

Cisco Identity Services Engine - Authenticated Information Disclosure and Configuration Modification via API

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-20125. PoCs published by İbrahimsql, Yuri08loveElaina.

AI-analyzed exploit summary This exploit leverages an authorization bypass vulnerability in Cisco ISE 3.0 to read sensitive configuration, force configuration reload, or reboot the system. It uses authenticated session tokens to send requests to specific API endpoints.

Description

A vulnerability in an API of Cisco ISE could allow an authenticated, remote attacker with valid read-only credentials to obtain sensitive information, change node configurations, and restart the node. This vulnerability is due to a lack of authorization in a specific API and improper validation of user-supplied data. An attacker could exploit this vulnerability by sending a crafted HTTP request to a specific API on the device. A successful exploit could allow the attacker to attacker to obtain information, modify system configuration, and reload the device. Note: To successfully exploit this vulnerability, the attacker must have valid read-only administrative credentials. In a single-node deployment, new devices will not be able to authenticate during the reload time.

Exploits (2)

exploitdb WORKING POC

by İbrahimsql · pythonremotemultiple

https://www.exploit-db.com/exploits/52397

View Code ZIP pw:eip

This exploit leverages an authorization bypass vulnerability in Cisco ISE 3.0 to read sensitive configuration, force configuration reload, or reboot the system. It uses authenticated session tokens to send requests to specific API endpoints.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Cisco ISE 3.0

Auth required

Prerequisites: Valid session token · Network access to the target

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github WORKING POC 3 stars

by Yuri08loveElaina · pythonpoc

https://github.com/Yuri08loveElaina/CVE-2025-20124_and_CVE-2025-20125

View Code ZIP pw:eip

The repository contains a functional exploit for CVE-2025-20124 (Java deserialization RCE) and CVE-2025-20125 (authorization bypass) in Cisco ISE. The exploit includes a Python script that crafts and sends malicious payloads to vulnerable endpoints, demonstrating both RCE and authentication bypass capabilities.

Classification

Working Poc 80%

Attack Type

Rce | Auth Bypass | Deserialization

Complexity

Moderate

Reliability

Reliable

Target: Cisco Identity Services Engine (ISE)

Auth required

Prerequisites: Authenticated ISE session token · Access to vulnerable Cisco ISE appliance

MITRE ATT&CK

T1189 - Drive-by Compromise T1068 - Exploitation for Privilege Escalation T1505 - Server Software Component

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-multivuls-FTW9AOXF

Scores

CVSS v3 9.1

EPSS 0.1450

EPSS Percentile 96.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-862 CWE-285

Status published

Products (4)

cisco/identity_services_engine 3.1.0 (10 CPE variants)

cisco/identity_services_engine 3.2.0 (7 CPE variants)

cisco/identity_services_engine 3.3.0 (4 CPE variants)

cisco/identity_services_engine < 3.1

Published Feb 05, 2025

Tracked Since Feb 18, 2026