CVE-2025-20285: Cisco ISE IP Restriction Bypass via Authenticated API
CVE-2025-20285 Published on July 16, 2025
Cisco Identity Services Engine IP Filter Access Restriction for Admin Access Configuration Bypass Vulnerability
A vulnerability in the IP Access Restriction feature of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to bypass configured IP access restrictions and log in to the device from a disallowed IP address.
This vulnerability is due to improper enforcement of access controls that are configured using the IP Access Restriction feature. An attacker could exploit this vulnerability by logging in to the API from an unauthorized source IP address. A successful exploit could allow the attacker to gain access to the targeted device from an IP address that should have been restricted. To exploit this vulnerability, the attacker must have valid administrative credentials.
Vulnerability Analysis
CVE-2025-20285 can be exploited with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.
Weakness Type
Authentication Bypass by Assumed-Immutable Data
The authentication scheme or implementation uses key data elements that are assumed to be immutable, but can be controlled or modified by the attacker.
Products Associated with CVE-2025-20285
stack.watch emails you whenever new vulnerabilities are published in Cisco Identity Services Engine or Cisco Identity Services Engine Passive Identity Connector. Just hit a watch button to start following.
Affected Versions
Cisco Identity Services Engine Software:- Version 3.1.0 is affected.
- Version 3.1.0 p1 is affected.
- Version 3.1.0 p3 is affected.
- Version 3.1.0 p2 is affected.
- Version 3.2.0 is affected.
- Version 3.1.0 p4 is affected.
- Version 3.1.0 p5 is affected.
- Version 3.2.0 p1 is affected.
- Version 3.1.0 p6 is affected.
- Version 3.2.0 p2 is affected.
- Version 3.1.0 p7 is affected.
- Version 3.3.0 is affected.
- Version 3.2.0 p3 is affected.
- Version 3.2.0 p4 is affected.
- Version 3.1.0 p8 is affected.
- Version 3.2.0 p5 is affected.
- Version 3.2.0 p6 is affected.
- Version 3.1.0 p9 is affected.
- Version 3.3 Patch 2 is affected.
- Version 3.3 Patch 1 is affected.
- Version 3.3 Patch 3 is affected.
- Version 3.4.0 is affected.
- Version 3.2.0 p7 is affected.
- Version 3.3 Patch 4 is affected.
- Version 3.4 Patch 1 is affected.
- Version 3.1.0 p10 is affected.
- Version 3.3 Patch 5 is affected.
- Version 3.3 Patch 6 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.