Cisco Identity Services Engine
Moderate fix3 remedies
cpe:2.3:a:cisco:identity_services_engine:*:*:*:*:*:*:*, +2 more
Moderate fix3 remedies
- <= 3.0
- >= 3.1, < 3.1P10
- >= 3.2, < 3.2P7
- >= 3.3, < 3.3P4
Cisco Identity Services Engine Insecure Java Deserialization Vulnerability Allowing Arbitrary Command Execution
Vulnerability
Patched
A vulnerability exists in an API of Cisco Identity Services Engine (ISE) due to insecure deserialization of user-supplied Java byte streams. This vulnerability could allow an authenticated, remote attacker with read-only administrative credentials to execute arbitrary commands as the root user on the affected device. Exploitation involves sending a crafted serialized Java object to the vulnerable API. In single-node deployments, new devices may fail to authenticate during the reload period.
Impact
Exploitation of this vulnerability could lead to unauthorized command execution with root privileges on the affected device.
Remediation
Cisco has released software updates that address this vulnerability. Customers with service contracts should obtain these updates through their usual channels. For instructions on upgrading, refer to the Cisco Identity Services Engine support page.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
4.5impact
7.5exploitability
4.9remediation
7.7relevance
0.0threat
0.2urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.