Government Issues Alert Over Hackers Gaining Access to Cloud Systems Without Passwords
The National Computer Emergency Team has issued an advisory warning about a critical authentication bypass vulnerability affecting Cisco Identity Services Engine (ISE) cloud deployments.
The flaw, tracked as CVE-2025-20286 and rated 9.9 (Critical) on the CVSS scale, allows unauthenticated attackers to gain full administrative access to ISE instances deployed through official Cisco cloud images on Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI).
The vulnerability poses a serious risk of complete system compromise, unauthorized data exposure, and network policy bypass.
According to the advisory, the vulnerability stems from credential reuse and improper session validation across cloud-based Cisco ISE images. It affects deployments created through Cisco’s official marketplace listings, but does not impact on-premise setups or custom cloud instances where the Primary Administration Node was manually configured.
A publicly available proof-of-concept (PoC) exploit significantly increases the threat level, enabling attackers to remotely connect to the exposed HTTPS management interface and execute privileged operations without any user interaction.
Successful exploitation may allow attackers to alter security configurations, disable access policies, access sensitive identity and authentication logs, and move laterally within the cloud environment using shared or leaked credentials.
The attack complexity is low, requires no prior access or credentials, and can be carried out entirely over the internet, making it a high-priority concern for organizations using affected ISE versions.
According to the advisory, the affected versions include Cisco ISE 3.1 through 3.4 deployed on AWS, Azure, and OCI. The root causes include hard-coded credentials, lack of proper access control validation, and insecure default configurations in Cisco’s marketplace-provided images. Cisco has acknowledged the vulnerability and released updated images in June 2025 that are considered secure if properly deployed.
Organizations are strongly advised to redeploy affected instances using the updated Cisco images. Where immediate replacement is not possible, emergency measures include restricting external access to the ISE admin interface, routing access through secure VPNs, enforcing MFA, and isolating cloud resources using virtual network controls.
Administrators should also rotate any credentials or access keys associated with the vulnerable instances.
Security teams are urged to analyze ISE logs for unauthorized access attempts, integrate monitoring with SIEM platforms, and initiate forensic reviews where compromise is suspected. Rapid response is essential to minimize risk, protect organizational assets, and prevent potential exploitation of this critical vulnerability.
