A security advisory was announced recently by the National Computer Emergency Team on a serious authentication bypass vulnerability that impacts the Cisco Identity Services Engine (ISE) cloud deployments saying that hackers are able to breach the administrative of ISE instances placed through official Cisco cloud images on Amazon Web Services (AWS), Microsoft Azure, as well as Oracle Cloud Infrastructure (OCI) without passwords.
This is the result of it being vulnerable and that is known as CVE-2025-20286 and has a CVSS rating of 9.9 (Critical).The breach of cloud without passwords presents a significant risk of network policy circumvention, unauthorized data leakage, and total system penetration.
The advisory claims that poor session validation and credential reuse across cloud-based Cisco ISE images are the root causes of the vulnerability. Deployments that were done using official marketplace listings of Cisco have been impacted, whereas custom cloud instances or on-premise setups that feature a manually configured Primary Administration Node are not impacted in any way.
The level of threat was dramatically increased by a publicly available proof-of-concept (PoC) vulnerability, that allows the attackers to gain remotely access to the exposed HTTPS management interface and conduct privileged actions without requiring any user involvement.
A successful exploitation can make it possible for attackers to navigate progressively all throughout the cloud environment exploiting shared or leaked information, alter the configurations of security, disable restrictions on access, in addition to gain entry to crucial identity and authentication logs.
In light of its limited level of complexity, the absence of credentials or previous entry, as well as the ability to be executed totally online, the attack is a top priority for enterprises utilizing impacted ISE versions.
The advice states that Cisco ISE 3.1 through 3.4 running on AWS, Azure, and OCI are among the impacted versions. Hard-coded credentials, inadequate access control validation, and unsafe default configurations in Cisco marketplace-provided images are the main causes.
After acknowledging the issue, Cisco published revised images in June 2025 that, when applied correctly, are thought to be secure.
It is highly recommended that organizations use the updated Cisco images to redeploy the impacted instances. Emergency procedures include limiting external access to the ISE admin interface, imposing MFA, routing access through secure VPNs, and isolating cloud resources using virtual network controls when an immediate replacement is not feasible.
Any access keys or credentials connected to the vulnerable instances should also be rotated by administrators.
When there is a suspicion of compromise, security teams are advised to start forensic investigations, combine monitoring with SIEM platforms, and examine ISE logs for illegal access attempts. Quick action is necessary to reduce risk, save organizational resources, and stop possible abuse of this serious weakness.
%20without%20passwords.){kind=link}