CISCO-SA-ISE-UNAUTH-RCE-ZAD2GNJ6

Multiple vulnerabilities in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an unauthenticated, remote attacker to issue commands on the underlying operating system as the root user. For more information about these vulnerabilities, see the Details ["#details"] section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. Note: Since the publication of version 1.0 of this advisory, improved fixed releases have become available. Cisco recommends upgrading to an enhanced fixed release as follows: If Cisco ISE is running Release 3.4 Patch 2, no further action is necessary. If Cisco ISE is running Release 3.3 Patch 6, additional fixes are available in Release 3.3 Patch 7, and the device must be upgraded. If Cisco ISE has either hot patch ise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gz or hot patch ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz installed, Cisco recommends upgrading to Release 3.3 Patch 7 or Release 3.4 Patch 2. The hot patches did not address CVE-2025-20337 and have been deferred from CCO.