Summary

On May 29, 2025, Cisco disclosed a critical vulnerability (CVE-2025-20286) affecting cloud deployments of Cisco Identity Services Engine (ISE) on AWS, Azure, and Oracle Cloud Infrastructure (OCI). The issue stems from improperly generated static credentials during cloud deployments, causing identical credentials to be shared across instances of the same ISE version and platform.

An unauthenticated remote attacker could exploit this flaw to access sensitive data, perform limited administrative actions, modify system settings, or disrupt services across affected environments.

The vulnerability only impacts deployments where the Primary Administration Node resides in the cloud. Onpremises Primary Admin nodes are not affected.

Affected Systems and Applications

The vulnerability CVE-2025-20286 affects specific cloud-based deployments of Cisco Identity Services Engine (ISE) on Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI).

• Affected Deployments:
  Cisco ISE is vulnerable when:
  • It is deployed in default configuration on cloud platforms (AWS, Azure, OCI).
  • The Primary Administration Node (PAN) is deployed in the cloud.

Cloud PlatformVulnerable Cisco ISE VersionsAWS3.1, 3.2, 3.3, 3.4Azure3.2, 3.3, 3.4OCI3.2, 3.3, 3.4

These affected deployments share identical static credentials for the same release and cloud provider, making them susceptible to cross-instance compromise if one deployment is exposed.

• Not Affected:
  The following deployments are not affected:
  • On-premises deployments using official Cisco ISOs or OVAs, regardless of form factor.
  • Cisco ISE deployed on:
    • Azure VMware Solution (AVS)
    • Google Cloud VMware Engine
    • VMware Cloud on AWS
  • Hybrid environments where all ISE Administrator personas (PAN/SAN) are on-premises, even if other personas reside in the cloud.

Technical Details / Attack Overview

The vulnerability CVE-2025-20286 affects cloud-based deployments of Cisco Identity Services Engine (ISE) on AWS, Azure, and Oracle Cloud Infrastructure. It stems from the way credentials are automatically generated during the deployment process. When ISE is installed in the cloud using default workflows, the system creates static, hardcoded credentials that are the same for all deployments using the same software version and cloud platform.

This means, for example, that all Cisco ISE version 3.2 instances deployed on Azure will share the same internal credentials. These credentials are not unique per deployment, and this lack of entropy leads to a serious security risk.

An attacker who gains access to one such cloud-based ISE instance — through either misconfiguration, compromised accounts, or other means — can extract these static credentials. They can then reuse those credentials to access other Cisco ISE instances on the same platform and version, even across different organizations, as long as those instances expose relevant management interfaces (e.g., through open or improperly secured ports).

With this access, the attacker can retrieve sensitive configuration data, carry out limited administrative functions, change system settings, or even cause disruption of services. Importantly, this attack does not require prior authentication, making it a high-severity issue.

This vulnerability only affects deployments where the Primary Administration Node (PAN) is hosted in the cloud. On-premises PAN deployments, or hybrid models with an on-prem PAN, are not affected. Furthermore, deployments using ISO/OVA-based artifacts from Cisco’s Software Download Center (rather than cloud-native templates) are also not vulnerable.

Temporary Workarounds and Mitigations

There are no effective workarounds to fully resolve the vulnerability, but the following mitigations are advised:

• Restrict Access
  • Cloud Security Groups: Restrict access to Cisco ISE instances by IP using cloud-native security groups.
  • Cisco ISE ACLs: Configure ISE to allow traffic only from authorized admin IP addresses.

• Do not reuse configurations or backups without resetting credentials.
  • Credential Regeneration (Cloud Only)

For new installations or if PAN is in the cloud: application reset-config ise

Warning: This command resets Cisco ISE to factory settings. A configuration restore will reintroduce the vulnerable credentials

• Patch all cloud-hosted Cisco ISE deployments to the latest fixed version.
  • Fixed Versions

Cisco has released hot fixes and permanent releases to remediate this issue:

ISE VersionHot Fix PackageFixed Version3.1 – 3.4ise-apply-CSCwn63400_3.1.x_patchallSPA.tar.gzMigrate to fixed release Software Download – Cisco Systems 3.3See above3.3P8 (Nov 2025)3.4See above3.4P3 (Oct 2025)3.5Not applicableFix planned (Aug 2025)

• All affected users are urged to upgrade to a fixed release immediately.
• Credentials are unique per platform and release (e.g., 3.1/AWS ≠ 3.2/AWS or 3.2/Azure)
• Backups contain vulnerable credentials — ensure resets are performed post-restoration
• Always validate security group configurations after cloud deployments

What the Cyber Fusion Center is Doing

The Cyber Fusion Center (CFC) is actively monitoring for exploitation attempts and evaluating threat intelligence for indicators of compromise (IOCs). Actions include:

• Vulnerability Scanning: Awaiting the release of detection plugins for tools like Tenable and Qualys.
  • CVE-2025-20286 | Tenable®

At this time, the potential for exploitation underscores the urgency of applying the available patches.

References

• Cisco Identity Services Engine on Cloud Platforms Static Credential Vulnerability
• Software Download – Cisco Systems
• Critical Cisco ISE Auth Bypass Flaw Impacts Cloud Deployments on AWS, Azure, and OCI

‍