Amazon researchers revealed that a sophisticated threat actor has been exploiting a zero-day vulnerability (CVE-2025-20337) in the Cisco Identity Service Engine (ISE). This pre-authentication RCE flaw allows attackers to gain full administrator-level access to the compromised ISE system.
Business Impact
This is a catastrophic breach. Cisco ISE is the central “gatekeeper” for many corporate networks, controlling which users and devices can access which resources (NAC). Compromising it allows attackers to control the entire network, bypass segmentation, and impersonate any user or device.
Why It Happened
The flaw is a vulnerable deserialization logic in a previously undocumented endpoint on the ISE. Attackers deployed a custom-built web shell designed specifically to look like a legitimate Cisco component to maintain stealthy, persistent access.
Recommended Executive Action
Direct your network security team to immediately apply the patches released by Cisco for ISE. This is a critical risk, and given the targeted nature of the attack, you must assume compromise and hunt for the described web shell and other IoCs.
Hashtags: #Cisco #ZeroDay #Vulnerability #RCE #CiscoISE #NAC #CyberSecurity #InfoSec #APT