How to Fix CVE-2025-20286: Use of Hard-coded Password in Cisco Identity Services Engine Software

What is CVE-2025-20286?

A vulnerability in Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI) cloud deployments of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to access sensitive data, execute limited administrative operations, modify system configurations, or disrupt services within the impacted systems. This vulnerability exists because credentials are improperly generated when Cisco ISE is being deployed on cloud platforms, resulting in different Cisco ISE deployments sharing the same credentials.

Hard-coded credentials are an unconditional bypass: no exploit chain, no clever timing, just knowing the credential lets the attacker log in. Disclosure of the value in advisories or scanners means assume the credential is in every commodity scanner immediately.

Am I affected?

You are affected if you run Cisco Identity Services Engine Software 3.1.0 / 3.1.0 p1 / 3.1.0 p3 / 3.1.0 p2 / 3.2.0 / 3.1.0 p4 / 3.1.0 p5 / 3.2.0 p1 / 3.1.0 p6 / 3.2.0 p2 / 3.1.0 p7 / 3.3.0 / 3.2.0 p3 / 3.2.0 p4 / 3.1.0 p8 / 3.2.0 p5 / 3.2.0 p6 / 3.1.0 p9 / 3.3 Patch 2 / 3.3 Patch 1 / 3.3 Patch 3 / 3.4.0 / 3.2.0 p7 / 3.3 Patch 4 / 3.4 Patch 1 / 3.1.0 p10 / 3.3 Patch 5.

Cisco IOS XE / NX-OS / IOS:

show version

For ASA/FTD: show version. For appliances with web admin: System → About. Compare to the fixed release in the Cisco Security Advisory linked under References.

If the build is older than the patched release listed under Fixed in, this CVE applies and you should follow the remediation steps below.

How to fix CVE-2025-20286

The vendor fix is to upgrade to a patched build. The verified patched version per the official advisory is See the vendor advisory linked in References for the exact patched version.

1. Read the official advisory for the exact patched build that applies to your deployment model (see https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-aws-static-cred-FPMjUcm7).

1. Plan the upgrade window. Cisco Identity Services Engine Software updates are not always hot-pluggable; check the vendor's release notes for required restarts, database migrations, or licensing steps before scheduling production downtime.

1. Take a verified backup of configuration and data before upgrading. Roll-back is faster than rebuilding.

1. Apply the patch or upgrade using your normal package or vendor installer flow. Use the vendor's documented procedure, not a third-party guide.

1. Restart services as the advisory directs. Some fixes only become active after a service restart, others after a full reboot.

Upgrade the affected Cisco platform

! Verify the running release on the device
show version
show inventory

! Stage the patched image from the Cisco Security Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-aws-static-cred-FPMjUcm7
copy tftp://<fileserver>/<patched-image>.bin flash:

! Set the boot image and reload in a maintenance window
configure terminal
boot system flash:<patched-image>.bin
end
write memory
reload

! After reload, confirm the new image is running
show version | include image

Verify the fix landed

# 1. Confirm the running version matches the fixed-in version from the advisory:
#    https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-aws-static-cred-FPMjUcm7
#    Use the platform-specific version probe above.

# 2. Re-scan with your vulnerability scanner (Nessus, Qualys, Tenable, OpenVAS).
#    The scanner should no longer flag CVE-2025-20286 on the patched target.

# 3. Inspect recent service / kernel logs for crash loops or rollback events.
journalctl -u <service> --since "10 minutes ago"
dmesg --since "10 minutes ago"

If you can't patch immediately

Apply only mitigations documented by the vendor. If no official workaround is published, the patched build is the only supported remediation. While you plan the upgrade window:

• Restrict network reach. Put Cisco Identity Services Engine Software behind a VPN, an allow-listed reverse proxy, or a firewall rule limiting source IPs to the addresses that legitimately need access. This shrinks the attack surface without changing the application.
• Enforce a second authentication factor at the network edge (reverse proxy with mTLS, IP allow-list, or SSO with MFA). This adds a control layer the bug cannot bypass on its own.
• Increase logging and alerting on the affected service. Even if the workaround does not block the exploit, fast detection of an attempt is a meaningful control.

How to verify the fix worked

1. Confirm the running version of Cisco Identity Services Engine Software matches or exceeds the patched build the vendor specifies. The CVE record under References lists the fixed version explicitly.

1. Check service logs for restart messages and verify the service came up clean after the upgrade. A failed restart that silently rolls back to the unpatched binary is a common operational mistake.

1. Review the audit log for any suspicious access during the period the system was unpatched. Pre-patch exploitation leaves traces; failed login bursts, unexpected file uploads, and new admin accounts are common indicators. If the host was reachable from the internet during the exposure window, assume the IoC hunt is mandatory rather than optional.

1. Re-run a vulnerability scanner (Nessus, Qualys, Tenable, OpenVAS) against the host after patching. The scanner should no longer flag this CVE on the same target. If it still does, double-check that you upgraded the right component, since many products bundle several services and only one of them may carry the fix.

Frequently asked questions

Related fixes

Other vulnerabilities in the same area that are worth patching alongside this one:

• How to Fix CVE-2025-20309: Use of Hard-coded Credentials in Cisco Unified Communications Manager — Use of Hard-coded Credentials in Cisco Unified Communications Manager
• How to Fix CVE-2025-20265: CWE-74 in Cisco Firepower Management Center — CWE-74 in Cisco Firepower Management Center
• How to Fix CVE-2025-20354: Unrestricted Upload of File with Dangerous Type in Cisco Unified Contact Center Express , Unrestricted Upload of File with Dangerous Type in Cisco Unified Contact Center Express
• How to Fix CVE-2025-20282: Improper Privilege Management in Cisco Identity Services Engine Software , Improper Privilege Management in Cisco Identity Services Engine Software
• How to Fix CVE-2025-20260: Buffer Overflow in ClamAV , Buffer Overflow in ClamAV

Is CVE-2025-20286 being exploited in the wild?

There are no public reports of in-the-wild exploitation at the time of this writing, and it is not currently listed in CISA KEV. That does not mean exploitation will not happen. Patch on the vendor timeline regardless.

Does the patch require a reboot?

It depends on the deployment. Cisco Identity Services Engine Software updates that replace running services usually need at minimum a service restart; some require a host reboot. Check the vendor release notes linked under References for the exact post-upgrade steps.

What if my version of Cisco Identity Services Engine Software is end-of-life?

End-of-life builds will not receive the fix. The vendor's published guidance in cases like this is to upgrade to a supported branch first, then apply the patched build. Running an EOL release on an internet-reachable interface is the higher risk.

References

• Official vendor advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-aws-static-cred-FPMjUcm7
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-20286
• CISA KEV catalog entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

*This guide was assembled from the official vendor advisory, the NVD record, and the CISA KEV listing on 2026-05-25. Always confirm against the vendor's advisory before applying changes in production. Byline: Sai Kiran Pandrala.*