来源

关联漏洞

描述

Proof of concept of CVE-2025-20282, the perfect 10.

介绍

Cisco ISE CVE 2025-20282

Proof of concept


The python script abuses the upload function that is availible unauthenticated at /admin/files-upload/ 

The script locally creates a bin folder and a file named isehourlycron.sh and fills it with the (the file is base64 encoded and included in the script) original content from Cisco ISE installation (located in /opt/CSMS/bin) folder.

A command is then added at the end of the file. Unless you specify "--reset", in that case the command will not be added and the file will be reverted to the original content.

The script then zips that folder recursivly with its content to a file named output.zip.

The file is then uploaded to the ISE installation using the /admin/files-upload/.

On the Cisco ISE side, the output.zip will be placed in /tmp/ and all its content will be extracted to /opt/CSCOcpm/ folder. 

The isehourlycron.sh runs as root several times within an hour. Allowing for remote code execution as ROOT.

文件快照

 [4.0K]  /data/pocs/2f6cbd043fdca9218e0213cd326a6d6f949e226e
├── [ 64K]  CVE-2025-20282 - v2.py
└── [ 969]  README.md

0 directories, 2 files

备注