A critical vulnerability in Cisco Identity Services Engine (ISE), tracked as CVE-2025-20337, has been exploited by hackers to deploy malware. The flaw, noted with a maximum severity score of 10/10, allows attackers to execute arbitrary code on affected systems.
Vulnerability Exploitation
The issue stems from inadequate validation of user-supplied input, enabling pre-authentication remote code execution. Hackers used this flaw to install a custom web shell masked as a legitimate Cisco ISE component, named IdentityAuditAction.
- Cisco ISE flaw identified as CVE-2025-20337
- Allows unauthorized remote code execution
- Weak input validation led to the vulnerability
Technical Details and Mechanism
The custom web shell exploited Tomcat server operations, leveraging Java reflection to manipulate running threads. It also used DES encryption with non-standard Base64 encoding for added stealth. Specific HTTP headers were required for access, enhancing the malware's concealment.
- Web shell operated in-memory using Java
- DES encryption implemented for stealth
- Targeted Tomcat server's HTTP requests
Security Implications
Amazon's threat intelligence unit uncovered the widespread and indiscriminate use of this exploit. However, no specific threat actor or industry was identified as responsible. Entities relying on the Cisco ISE should assess their systems promptly to mitigate potential security risks.
