CVE-2025-20125
CRITICALDescription
A vulnerability in an API of Cisco ISE could allow an authenticated, remote attacker with valid read-only credentials to obtain sensitive information, change node configurations, and restart the node. This vulnerability is due to a lack of authorization in a specific API and improper validation of user-supplied data. An attacker could exploit this vulnerability by sending a crafted HTTP request to a specific API on the device. A successful exploit could allow the attacker to attacker to obtain information, modify system configuration, and reload the device. Note: To successfully exploit this vulnerability, the attacker must have valid read-only administrative credentials. In a single-node deployment, new devices will not be able to authenticate during the reload time.
Is your site exposed to CVE-2025-20125?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| cisco | identity_services_engine |
| cisco | identity_services_engine |
| cisco | identity_services_engine |
| cisco | identity_services_engine |
| cisco | identity_services_engine |
| cisco | identity_services_engine |
| cisco | identity_services_engine |
| cisco | identity_services_engine |
| cisco | identity_services_engine |
| cisco | identity_services_engine |
| cisco | identity_services_engine |
| cisco | identity_services_engine |
| cisco | identity_services_engine |
| cisco | identity_services_engine |
| cisco | identity_services_engine |
| cisco | identity_services_engine |
| cisco | identity_services_engine |
| cisco | identity_services_engine |
| cisco | identity_services_engine |
| cisco | identity_services_engine |
| cisco | identity_services_engine |
| cisco | identity_services_engine |
References
Frequently Asked Questions
What is CVE-2025-20125? +
How severe is CVE-2025-20125? +
What products are affected by CVE-2025-20125? +
How do I check if I'm vulnerable to CVE-2025-20125? +
Related Vulnerabilities
NamelessMC is website software for Minecraft servers. In version 2.2.4, `modules/Forum/pages/forum/get_quotes.php` only checks whether the caller is logged in, then …
Insecure Direct Object References (IDOR) in access control in Customer Portal before 2.1.4 on NightWolf Penetration Testing allows an attacker …
Insecure Direct Object References (IDOR) in access control in Tracking 2.1.4 on NightWolf Penetration Testing allows an attacker to access …
fleetdm/fleet is an open source device management, built on osquery. In vulnerable versions of Fleet, an attacker could craft a …
An Unauthenticated Arbitrary File Read vulnerability affects the Agent when installed on a system. The parameter filename does not validate …
XWiki OIDC has various tools to manipulate OpenID Connect protocol in XWiki. Starting in version 2.17.1 and prior to version …