Cisco rushes to fix critical ISE bug

Cisco rushes to fix critical ISE bug that shares passwords across cloud deployments

Cisco has patched a critical static-credential flaw (CVE-2025-20286, CVSS 9.9) in its Identity Services Engine (ISE) cloud images for AWS, Azure and Oracle Cloud. Because ISE generates the same default credentials for every deployment running the same software release on a given cloud, an unauthenticated attacker could grab those credentials from one instance and use them to access another, gaining sensitive data, limited admin rights, the ability to alter configurations or even disrupt services. Only cloud-hosted Primary Administration Nodes are affected; on-prem ISE servers are safe. Impacted versions are 3.1–3.4 (varying by platform). Cisco has seen a proof-of-concept exploit but no live attacks. There’s no workaround except applying the fixed images or resetting the ISE config, though admins can reduce risk by restricting management ports.

Cisco has issued emergency patches for a blunder that could let anyone stroll into cloud-hosted Identity Services Engine (ISE) servers without a password.

What went wrong?
When you spin up ISE in AWS, Azure or Oracle Cloud, the system creates a default admin account. Cisco now admits those credentials are identical for every deployment running the same software version on the same cloud. In other words, crack one box and you can pop them all.

How bad is it?
The bug—tagged CVE-2025-20286 and scored 9.9/10—allows unauthenticated attackers to:
• View sensitive data
• Run certain admin commands
• Change configurations
• Knock services offline

On-prem ISE appliances escape the issue; only Primary Administration Nodes in the cloud are exposed.
Affected versions
• AWS: ISE 3.1, 3.2, 3.3, 3.4
• Azure & OCI: ISE 3.2, 3.3, 3.4

Fix or mitigate

Cisco has rebuilt the vulnerable images—apply them now. If that’s impossible, limit access to management ports or run application reset-config ise, which wipes the box back to factory settings and forces new credentials (painful, but safe).

Why it matters
ISE often sits at the heart of network access control. A compromise here hands attackers a springboard into VPNs, WLANs and directory services—exactly the foothold ransomware gangs crave. The flaw also highlights a growing cloud danger: mis-handled golden images can make “cookie-cutter” deployments vulnerable at scale.
If your organisation hosts ISE in the cloud, patch today and rotate any default passwords you thought were unique.