The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert, adding three high-impact vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. These include two unauthenticated remote code execution flaws in Cisco Identity Services Engine (ISE) and one cross-site request forgery (CSRF) vulnerability affecting PaperCut NG/MF software.
Critical Cisco ISE Flaws: CVE‑2025‑20281 and CVE‑2025‑20337
The first two vulnerabilities, CVE‑2025‑20281 and CVE‑2025‑20337, target Cisco ISE and ISE-PIC versions 3.3 and 3.4. These flaws are caused by improper input validation in the API, allowing attackers to send specially crafted requests that execute commands on the system without needing to authenticate. Both vulnerabilities received a CVSS score of 10.0, the highest possible, reflecting their potential to completely compromise affected systems.
Cisco’s security advisory, first published on June 25, warned that CVE‑2025‑20281 could lead to unauthenticated command execution with root privileges. Shortly after, on July 16, the vendor added CVE‑2025‑20337 to the same advisory, noting growing signs of real-world exploitation attempts. Cisco confirmed these attacks in updates posted between July 21 and 24, urging all customers to upgrade immediately.
Cisco ISE plays a crucial role in identity and access management for many enterprise networks; an exploit could allow attackers to bypass security policies and gain deep control over IT infrastructure.
A Third Critical Cisco Bug: CVE‑2025‑20282
Although not listed in the KEV Catalog, Cisco also disclosed CVE‑2025‑20282, another unauthenticated RCE vulnerability. This flaw enables attackers to upload arbitrary files into protected directories in Cisco ISE version 3.4. Like the others, it carries a CVSS score of 10.0. While CISA hasn’t officially added it to the KEV list, Cisco’s inclusion of CVE‑2025‑20282 in the same advisory and evidence of exploitation suggests this vulnerability is equally urgent.
There are no workarounds for any of these Cisco flaws. Cisco advises upgrading to ISE / ISE-PIC version 3.3 Patch 7 or 3.4 Patch 2. Earlier hotfixes, such as Patch 4 or Patch 1, are insufficient.
PaperCut CSRF Flaw: CVE‑2023‑2533
The third vulnerability added to the KEV Catalog is CVE‑2023‑2533, a CSRF vulnerability in PaperCut NG/MF, which was originally disclosed in June 2023. Despite being over a year old, CISA’s decision to add it reflects ongoing exploitation in the wild.
CVE‑2023‑2533 affects PaperCut versions 21.2.0 to 22.0.12 across all major operating systems. The flaw allows an attacker to trick a logged-in admin into clicking a malicious link, potentially altering system configurations or executing arbitrary commands. It has been assigned a CVSS score of 8.4.
To address this issue, PaperCut Software released version 22.1.1, which includes multiple security hardening features, such as isolating script execution controls and restricting external executables. This version also mitigates two other vulnerabilities: CVE‑2023‑31046 (path traversal) and CVE‑2023‑39469 (a chained exploit scenario).
PaperCut emphasized that only the core application and site servers are impacted. Components such as Direct Print Monitors, Mobility Print, Hive, Pocket, and MFD Embedded software remain unaffected.
Timeline of Disclosures and Exploitation
- June 25, 2025: Cisco discloses CVE‑2025‑20281.
- July 16, 2025: Cisco updates the advisory to include CVE‑2025‑20337.
- July 21–24, 2025: Cisco confirms exploitation in the wild.
- Late July 2025: CISA adds CVE‑2025‑20281, CVE‑2025‑20337, CVE‑2025‑20282, and CVE‑2023‑2533 to the Known Exploited Vulnerabilities (KEV) Catalog.
While some sources report a lack of confirmed public exploitation, Cisco and CISA’s classification into the KEV Catalog indicates credible evidence of targeted attacks or widespread scanning activity.
Risks to Enterprise Infrastructure
Cisco ISE is central to network access control and user authentication. A successful attack exploiting CVE‑2025‑20281 or CVE‑2025‑20337 could allow a bad actor to gain root access to core systems, potentially compromising entire corporate networks. These vulnerabilities require no credentials or user interaction, significantly increasing their danger.
While the PaperCut CSRF issue may seem less severe, it remains a serious risk when the PaperCut admin portal is exposed on internal or external networks. CSRF vulnerabilities like CVE‑2023‑2533 can be used to silently alter configurations or even deploy malware in certain attack chains.
Conclusion
The addition of the recently added vulnerabilities, CVE‑2025‑20281, CVE‑2025‑20337, and CVE‑2023‑2533, highlights the importance of auditing infrastructure for affected versions of Cisco ISE / ISE-PIC and PaperCut NG/MF, applying the recommended security patches, and closely monitoring logs for any signs of compromise.
Network segmentation and system-level exploit mitigations should also be implemented to reduce exposure. These flaws, particularly the unauthenticated remote code execution risks in Cisco ISE and the actively exploited CSRF flaw in PaperCut, underline the urgent need for proactive defense strategies.
Delays in patching or relying on temporary fixes only widen the attack surface, at a time when adversaries are quick to exploit newly disclosed weaknesses in infrastructure software.
