Unauthenticated RCE in Cisco ISE and ISE-PIC API
CVE-2025-20281 is a critical vulnerability in a specific API of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC). The flaw is caused by insufficient validation of user-supplied input in the exposed API. A remote attacker can send a crafted API request to trigger arbitrary code execution on the underlying operating system. Cisco states that exploitation does not require valid credentials, and successful exploitation results in code execution as root. Supporting context also indicates the issue affects Cisco ISE/ISE-PIC release 3.3 and later, while release 3.2 and earlier are not affected.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
3 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
This repository contains a proof-of-concept (PoC) exploit for CVE-2025-20281, a critical unauthenticated remote code execution vulnerability in Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) versions 3.3 and 3.4.0. The exploit is implemented in a single Python script (CVE-2025-20281.py), which sends a crafted POST request to the ERS API endpoint (https://<target>:9060/ers/sdk#_) without authentication. The payload injects arbitrary shell commands into the 'name' field, exploiting insufficient input validation to achieve root-level command execution. The script supports running a simple command (e.g., 'whoami') or spawning a reverse shell to an attacker-controlled host. The README.md provides detailed vulnerability information, affected versions, remediation steps, and responsible use guidelines. The exploit requires Python 3.6+ and the 'requests' and 'urllib3' libraries. No detection or scanning functionality is present; the code is strictly for exploitation.
This repository provides a Python 3 proof-of-concept exploit for CVE-2025-20281, a critical unauthenticated remote code execution vulnerability in Cisco Identity Services Engine (ISE) via the ERS API. The main exploit script (CVE-2025-20281.py) allows an attacker to send a specially crafted POST request to the /ers/sdk#_ endpoint on TCP port 9060, injecting shell commands through the 'name' parameter of an InternalUser object. The script supports executing arbitrary commands, running a quick 'whoami' test, or launching a bash reverse shell to an attacker-controlled host. No authentication is required, and the exploit is effective against Cisco ISE PAN nodes with ERS enabled. The repository includes a README with usage instructions and a LICENSE file. The exploit is operational, providing real RCE capabilities, and is not part of a larger framework.
This repository contains a Python proof-of-concept exploit for CVE-2025-20281, a critical unauthenticated remote code execution vulnerability in Cisco Identity Services Engine (ISE) via the ERS API. The main exploit script, PoC.py, allows an attacker to send a crafted POST request to the InternalUser ERS API endpoint (https://<target>:9060/ers/sdk#_) without authentication. The exploit injects arbitrary shell commands into the 'name' field of the request, which are executed as root on the target system. The script supports two modes: running a simple command (such as 'whoami') or spawning a bash reverse shell to an attacker-controlled host. The repository is minimal, containing only the exploit script, a README with usage instructions, and a license file. No detection or fake code is present; this is a functional proof-of-concept exploit.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
104 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A critical unauthenticated remote code execution vulnerability in Cisco Identity Services Engine referenced for historical context; it was actively exploited in the wild.
A 2025 vulnerability included in the set of recently disclosed CVEs later adopted by RondoDox operators.
A critical Cisco ISE / ISE-PIC unauthenticated remote command execution vulnerability allowing root-level command execution; patched by Cisco.
A critical (CVSS 10.0) vulnerability in Cisco ISE that has been exploited in the wild.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.