Proof of concept of CVE-2025-20282, the perfect 10.Cisco ISE CVE 2025-20282
Proof of concept
Writeup: https://riversecurity.eu/like-stealing-cisco-ise-cream-from-a-kid-weaponizing-a-cve/
The python script abuses the upload function that is availible unauthenticated at /admin/files-upload/
The script locally creates a bin folder and a file named isehourlycron.sh and fills it with the (the file is base64 encoded and included in the script) original content from Cisco ISE installation (located in /opt/CSMS/bin) folder.
A command is then added at the end of the file. Unless you specify "--reset", in that case the command will not be added and the file will be reverted to the original content.
The script then zips that folder recursivly with its content to a file named output.zip.
The file is then uploaded to the ISE installation using the /admin/files-upload/.
On the Cisco ISE side, the output.zip will be placed in /tmp/ and all its content will be extracted to /opt/CSCOcpm/ folder.
The isehourlycron.sh runs as root several times within an hour. Allowing for remote code execution as ROOT.
[4.0K] /data/pocs/2f6cbd043fdca9218e0213cd326a6d6f949e226e
├── [ 64K] CVE-2025-20282 - v2.py
└── [1.0K] README.md
1 directory, 2 files