Threat actors have actively exploited a newly patched vulnerability in Cisco's Identity Services Engine (ISE) software since early July, weeks before the networking giant got around to issuing a fix.

That's according to the Shadowserver Foundation, a nonprofit organization that scans and monitors the internet for exploitation. The company’s CEO, Piotr Kijewski, told The Register on Thursday that it had observed signs of exploitation "of what we believe is CVE-2025-20281 around July 5th."

Kijewski added that the Shadowserver Foundation has observed a "few more exploitation attempts" since that time.

[1]

The bug in question, rated 10 out of 10 on the CVSS scale, is a remote code execution flaw that lurks in the web-based management interface of Identity Services Engine (ISE), Cisco's network access control system.

[2]

[3]

If successfully exploited, it allows unauthenticated attackers to execute arbitrary commands with root privileges on vulnerable devices. That's right: no login required, no special permissions – just instant admin-level access.

Cisco first [4]flagged the vulnerability in an advisory on June 25, along with CVE-2025-20337 – another 10-out-of-10-rated flaw that, like its sibling, allows miscreants to run arbitrary commands as root. This was followed by the disclosure of a [5]third critical vulnerability that is also rated a perfect 10, CVE-2025-20282, on July 16.

[6]

Cisco's advisory has been tweaked to confirm that "some of the bugs" are being actively exploited, though this revelation comes almost a full three weeks after Shadowserver first clocked signs of cybercriminals messing with CVE-2025-2033 in the wild.

"In July 2025, the Cisco PSIRT became aware of attempted exploitation of some of these vulnerabilities in the wild," the company said in the update published on July 21.

Cisco is keeping quiet on who's behind the attacks or how widespread the exploitation is, and isn't saying whether any data has been pilfered from hacker-hit corporate networks. The networking goliath also failed to respond to The Register 's emails asking for more details.

[7]Surprise, surprise: Chinese spies, IP stealers, other miscreants attacking Microsoft SharePoint servers

[8]A software-defined radio can derail a US train by slamming the brakes on remotely

[9]CVSS 10 RCE in Wing FTP exploited within 24 hours, security researchers warn

[10]AMD warns of new Meltdown, Spectre-like bugs affecting CPUs

[11]Cisco returns to load balancing market as it chases VMware refugees

Cisco has warned that there are no workarounds, so if you're running a vulnerable setup, patching pronto is your only option. The company has also had to roll out souped-up fixes after earlier patches proved ineffective at keeping criminals out.

"Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate these vulnerabilities," Cisco said at the time. ®

[12]

For those keeping score, this isn't Cisco's first brush with actively exploited vulns. Back in April, so-called "sophisticated" cyberspies were caught exploiting a zero-day in Cisco firewalls to snoop on global targets. ®

Get our [13]Tech Resources



[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aIZNMzAeBIxAZGLNCQQxsQAAAE4&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aIZNMzAeBIxAZGLNCQQxsQAAAE4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aIZNMzAeBIxAZGLNCQQxsQAAAE4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[4] https://www.theregister.com/2025/06/26/patch_up_cisco_fixes_two/

[5] https://www.theregister.com/2025/07/17/critical_cisco_bug/

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aIZNMzAeBIxAZGLNCQQxsQAAAE4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[7] https://www.theregister.com/2025/07/22/chinese_groups_attacking_microsoft_sharepoint/

[8] https://www.theregister.com/2025/07/14/train_brakes_flaw/

[9] https://www.theregister.com/2025/07/11/1010_wing_ftp_bug_exploited/

[10] https://www.theregister.com/2025/07/09/amd_tsa_side_channel/

[11] https://www.theregister.com/2025/06/11/cisco_load_balancing_ebpf/

[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aIZNMzAeBIxAZGLNCQQxsQAAAE4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[13] https://whitepapers.theregister.com/