Good morning,

EDIT: The patch 4 is a hotpatch, rather than a full patch. Please discard my previous comment.

Please could I get some clarity around the fixed releases, specifically for CVE-2025-20281?
We have a multi-node deployment running 3.3 patch 4.

It states for the 3.3 release, that patch 6 is the fixed release. But underneath it also states that patch 4 is also a fixed release (with the patch filename string).

Is this true? Or is patch 4 in there by mistake? Just with ISE patches being cumulative, I would have expected only patch 4 being mentioned, or it also including patch 5 in that list.

Thanks

I have a very simple question: For CVE-2025-20281, does anybody know if disabling REST API will work? Because Advisory clearly says there is no workaround.

In the bug it appears a thread about this discussion, however unfortunately I do not have access to it:

Hi @Jack S ,

 yes, you are correct, the HP-3.3P4-CSCwo99449 is a hotpatch, it is not the ISE 3.3 P4.

Hi @-dac- ,

 the info about:

CSCwo99449 Cisco Identity Services Engine Unauthenticated Remote Code Execution Vulnerability

the link for the ISE 3.3 P4 hotpatch is HP-3.3P4-CSCwo99449.

Hi @Marcelo Morais 

Thanks for posting this.

When I click on the link you provided for CVE-2025-20281/282, it takes me to the CVE-2025-20286! If that was intentional, I think you ought to make clear at the start, that CVE-2025-20286 affects only the cloud instances of ISE, and do not affect the on-premise versions of ISE. Before people start panicking. Nothing wrong with patching, but the devil is always in the details.

Hi @Arne Bier ,

 many thanks my friend ... I updated the link !!!

Hi @Marcelo Morais 

Please confirm if below still applies:

"If you installed a hot patch on your previous Cisco ISE release, you must roll back the hot patch before installing a patch. Otherwise, the services might not be started due to an integrity check security issue."

I installed HP-CLOUD-CSCwn63400 on ISE 3.3 Patch 4. I need to rollback the hot patch first before installing Patch 6?

Hi @Brian66351 ,

 you are talking about this: Cisco ISE related Vulnerability (CVE-2025-20286) ... please, take a look at the IMPORTANT info at the end of this Article.

 You do not nee to rollback the HP before installing P6.

Hope this helps !!!

Yes @Marcelo Morais, that is the HP I am referring to.

The release note document for ISE 3.3 has this warning.

Seems to contradict the Vulnerability document.

Hi @Brian66351 ,

 not all HP need to be rollback before an update, another example of this is:

CSCwi06794  - Live log delay (RADIUS) - Regression for CSCwe00424 

Note: if you prefer to rollback the HP, please take a look at Cisco ISE related Vulnerability (CVE-2025-20286) at the end of the Article there is a " ... To access the Cisco ISE version that fixes this CVE ..."

Hope this helps !!!

Noted @Marcelo Morais, thank you. 

I will proceed with the update without the rollback.

Hello guys.

My deployment is as follow on cloud and on-prem: 

Hi @cghaderpour ,

 yes, you can install patch 6 on top of patch 4 & 5.

Release 3.3 P6 is the Suggested Release and resolve two important caveats from P5, please take a look at ISE Release Notes 3.3, search for Resolved caveats in Cisco ISE release 3.3 cumulative Patch 6.

It seems that they've updated the advisory and hot patches have deferred from CCO, due to the release of 3.3 Patch7

• If Cisco ISE is running Release 3.3 Patch 6, additional fixes are available in Release 3.3 Patch 7, and the device must be upgraded.
• If Cisco ISE has either hot patch ise-apply-CSCwo99449_3.3.0.430_patch4-SPA.tar.gz or hot patch ise-apply-CSCwo99449_3.4.0.608_patch1-SPA.tar.gz installed, Cisco recommends upgrading to Release 3.3 Patch 7 or Release 3.4 Patch 2. The hot patches did not address CVE-2025-20337 and have been deferred from CCO.

Hi @CiscoU9834 ,

 Article updated !!!