CrowdSec Threat Intelligence has observed a new wave of targeted exploitation attempts centered around CVE-2025-20281. CVE-2025-20281 is a critical Remote Code Execution (RCE) vulnerability in Cisco Identity Services Engine (ISE). In this week’s threat alert, we dive into how this vulnerability works, how attackers exploit it, and why it might be seeing a resurgence this week.
Key findings
- CVE-2025-20281 (CVSS 10.0) was published on June 25, 2025. CrowdSec released a detection rule on August 13, 2025, to identify and block exploitation attempts. A fresh spike of exploitation was observed starting February 23, 2026.
- CVE-2025-20281 originates from an insufficient validation process in the REST API of Cisco ISE. It allows attackers to run arbitrary commands with root permission levels.
- While the initial attacks during the first week of the vulnerabilities were a healthy mix of targeted and opportunistic, the recent surge is mainly driven by opportunistic actors using CVE-2025-20281 in their exploit kits.
What is Cisco Identity Services Engine (ISE)?
Cisco Identity Services Engine (ISE) is a network administration product used by large enterprises to enforce security and access policies for endpoint devices. It acts as a gatekeeper, determining who and what can access the network. It is primarily managed by IT network administrators and security operations teams. A compromise of the ISE appliance is a “game over” scenario for network security. Since ISE manages trust and access, an attacker with root control over the service can bypass network segmentation, create backdoors, and gain unrestricted access to sensitive internal resources. The business impact ranges from data theft to full-scale ransomware deployment across the internal network.
How does CVE-2025-20281 work?
This vulnerability resides in Cisco ISE’s REST API. Due to insufficient validation of user-supplied input, an unauthenticated remote attacker can send a crafted HTTP request to the /ers/sdk endpoint. Using malicious commands injected into the name field of the JSON payload, the attacker can execute arbitrary operating system commands as the root user. This exploit requires no authentication and no user interaction, making it particularly dangerous.
Threat Landscape Analysis
CrowdSec CTI data reveals a trend of “targeted exploitation” for this CVE. After an initial spike following the public disclosure and proof-of-concept release, the number of attacking IPs had stabilized at a lower level. The recent surge in attack volume suggests that opportunistic attackers have now added the attack to their repertoire, leaving sophisticated threat actors who are integrating this exploit for specific campaigns in the dust.
How to protect your systems
- Lock down your Admin Interfaces: Restrict access to the ISE administrative interfaces and APIs. Ensure they are not exposed to the public internet and are only accessible from trusted management networks. Review logs for any suspicious requests to
/ers/sdk. - Patch: Apply the patches provided by Cisco in the official advisory immediately. This is the only definitive fix.
Block: Deploy the CrowdSec WAF to proactively block IPs identified as attacking this vulnerability. The CrowdSec Community Blocklist includes IPs exhibiting this specific exploitation behavior, protecting your network even before you can patch.