CVE-2025-20332

MEDIUM

Cisco Identity Services Engine Software - Authenticated Incorrect Authorization via Crafted HTTP Request

Title source: llm

Description

A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to modify parts of the configuration on an affected device. This vulnerability is due to the lack of server-side validation of Administrator permissions. An attacker could exploit this vulnerability by submitting a crafted HTTP request to an affected system. A successful exploit could allow the attacker to modify descriptions of files on a specific page. To exploit this vulnerability, an attacker would need valid read-only Administrator credentials.

References (1)

Core 1

Core References

Various Sources

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise_xss_acc_cont-YsR4uT4U

Scores

CVSS v3 4.3

EPSS 0.0011

EPSS Percentile 29.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (23)

Cisco/Cisco Identity Services Engine Software 2.7.0 p8

Cisco/Cisco Identity Services Engine Software 3.1.0

Cisco/Cisco Identity Services Engine Software 3.1.0 p1

Cisco/Cisco Identity Services Engine Software 3.1.0 p2

Cisco/Cisco Identity Services Engine Software 3.1.0 p3

Cisco/Cisco Identity Services Engine Software 3.1.0 p4

Cisco/Cisco Identity Services Engine Software 3.1.0 p5

Cisco/Cisco Identity Services Engine Software 3.1.0 p6

Cisco/Cisco Identity Services Engine Software 3.1.0 p7

Cisco/Cisco Identity Services Engine Software 3.1.0 p8

... and 13 more

Published Aug 06, 2025

Tracked Since Feb 18, 2026