Cisco has issued a warning about a critical vulnerability (CVE-2025-20337, CVSS 10.0) in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC), allowing unauthenticated remote attackers to execute root-level code via crafted API requests. The flaw, caused by insufficient input validation, affects versions 3.3 and 3.4 and has been patched in 3.3 Patch 7 and 3.4 Patch 2. Although no exploitation has been observed yet, Cisco urges prompt updates. The alert coincides with ongoing exploitation of a similar Fortinet FortiWeb flaw (CVE-2025-25257), used to drop web shells across compromised systems globally.