Cisco ISE Remote Code Execution Vulnerability
漏洞信息
漏洞名称: Cisco ISE Remote Code Execution Vulnerability
漏洞编号:
- CVE: CVE-2025-20281
漏洞类型: 命令执行
漏洞等级: 严重
漏洞描述: ### 受影响产品
Cisco ISE(Identity Services Engine)和Cisco ISE-PIC(ISE Policy Service Node)是思科公司提供的身份服务引擎和策略服务节点,广泛用于企业网络中的身份验证、访问控制和策略执行。这些产品通常部署在企业级网络中,用于确保网络安全和合规性。
漏洞说明
该漏洞属于远程代码执行类型,由于特定API中对用户提供输入的验证不足,导致未经身份验证的远程攻击者能够通过精心构造的API请求,以root权限执行任意代码。这种漏洞的根本原因在于输入验证不充分,使得攻击者可以注入恶意代码或命令。
影响分析
此漏洞的安全风险极高,攻击者无需身份验证即可远程执行任意代码,可能导致完全控制系统、数据泄露、服务中断等严重后果。由于攻击者可以以root权限执行代码,这意味着攻击者可以获得系统的最高权限,进而对系统进行任意操作。此外,该漏洞可以被自动化工具利用,增加了被大规模攻击的可能性。因此,建议用户尽快采取修补措施,以防止潜在的安全威胁。
产品厂商: Cisco
产品名称: Cisco ISE, Cisco ISE-PIC
搜索语法: http.title:”identity services engine”
来源: https://github.com/projectdiscovery/nuclei-templates/issues/12707
类型: projectdiscovery/nuclei-templates:github issues
来源概述
Description:
Cisco ISE and Cisco ISE-PIC contain a remote code execution caused by insufficient validation of user-supplied input in a specific API, letting unauthenticated remote attackers execute arbitrary code as root, exploit requires crafted API request.
Severity: Critical
POC:
- https://github.com/B1ack4sh/Blackash-CVE-2025-20281
- https///github.com:B1ack4sh/Blackash-CVE-2025-20281.git
- https://github.com/ill-deed/Cisco-CVE-2025-20281-illdeed
- https///github.com:ill-deed/Cisco-CVE-2025-20281-illdeed.git
- https://github.com/grupooruss/CVE-2025-20281-Cisco
- https://github.com/abrewer251/CVE-2025-20281-2-Citrix-ISE-RCE
- https://github.com/abrewer251/CVE-2025-20281-2-Cisco-ISE-RCE
- https///github.com:abrewer251/CVE-2025-20281-2-Cisco-ISE-RCE.git
KEV: True
Shodan Query: http.title:"identity services engine"
Acceptance Criteria: The template must include a complete POC and should not rely solely on version-based detection. Contributors are required to provide debug data(
-debug) along with the template to help the triage team with validation or can also share a vulnerable environment like docker file.
Rewards will only be given once the template is fully validated by the team. Templates that are incomplete or invalid will not be accepted. Avoid adding code templates for CVEs that can be achieved using HTTP, TCP, or JavaScript. Such templates are blocked by default and won’t produce results, so we prioritize creating templates with other protocols unless exceptions are made.
You can check the FAQ for the Nuclei Templates Community Rewards Program here.