Cisco's management and identity products keep showing up in the catalog

Across 2024 to 2026, a cluster of Cisco vulnerabilities landed in the catalog, and they share a theme: they hit the management and identity plane, the systems that administer the network and authenticate access to it. These are different products with the same high stakes, so it’s worth reading them together.

Identity Services Engine (ISE)

CVE-2025-20281 and CVE-2025-20337 are unauthenticated remote code execution flaws in Cisco ISE, the platform that handles network authentication, authorization, and policy. RCE on ISE is a path to controlling who and what gets onto the network. Unauthenticated RCE on the identity layer is among the most serious things on this list, the same crown-jewel concern as the VMware Workspace ONE and ManageEngine identity bugs.

Smart Licensing Utility, a hardcoded credential

CVE-2024-20439 is a static, hardcoded administrative credential in the Cisco Smart Licensing Utility, an undocumented account an attacker can use to log in with admin rights. Hardcoded credentials are a recurring catalog theme (it’s effectively a built-in backdoor), and they’re exploited quickly once disclosed because the “exploit” is just knowing the password.

IOS XE, SD-WAN Manager, and UCM

CVE-2025-20352 is a stack overflow in the SNMP subsystem of IOS and IOS XE, exploited for code execution on the network gear itself. CVE-2026-20122, CVE-2026-20128, and CVE-2026-20133 are flaws in Catalyst SD-WAN Manager (the controller for SD-WAN fabrics, the same product family as the vManage/vDaemon bypass CVE-2026-20182), and CVE-2026-20045 is in Unified Communications Manager. CVE-2025-20393 spans multiple products. Across these, the pattern holds: the controller and management appliances, not the data-plane routers, are where the exploitable bugs and the leverage concentrate.

What to do

• Patch Cisco management/identity products on an emergency cadence. ISE, SD-WAN Manager, Smart Licensing Utility, and UCM are control-plane systems; treat their advisories like the high-priority items they are.
• Get management interfaces off the internet and onto a dedicated management network. None of these should be broadly reachable; restricting access defuses most of the exposure.
• For the hardcoded-credential bug, patch and rotate. CVE-2024-20439 can’t be mitigated by changing a password (it’s static in the code); the fix is the update, and you should verify no unauthorized access occurred.
• Treat the identity and SD-WAN controllers as tier-zero. RCE on ISE or the SD-WAN manager is effectively control of network access; segment and monitor them accordingly.
• Assume compromise on exposed, unpatched instances and hunt for unauthorized access, new admin accounts, and post-exploitation; rotate credentials these systems held.

The reframe is the same one that recurs for management infrastructure across vendors: the bug that matters is the one on the box that administers everything else, and Cisco’s ISE, SD-WAN Manager, and licensing/UC systems are exactly those boxes. Patch them fast, keep them off the open network, and watch them like the control plane they are. We track the Cisco management-plane entries together, because they keep being where the exploitable weaknesses land.

Sources

• CISA Known Exploited Vulnerabilities Catalog
• Cisco Security Advisories
• NVD CVE-2025-20281 (Cisco ISE unauth RCE) — 2025
• NVD CVE-2024-20439 (Smart Licensing Utility static credential) — 2024
• NVD CVE-2025-20352 (IOS XE SNMP RCE) — 2025