Unauthenticated Arbitrary File Upload and Root RCE in Cisco ISE and ISE-PIC

This repository is a minimal standalone Python proof-of-concept exploit for CVE-2025-20282 targeting Cisco ISE. It contains only two files: a trivial README pointing elsewhere and a single executable script, rce.py, which is the clear entry point and core exploit logic. The script uses argparse for a single target argument, requests for HTTPS communication, zipfile/io to build an in-memory ZIP archive, and disables TLS certificate warnings to facilitate exploitation of appliances with self-signed certificates. The exploit workflow is straightforward: it first constructs a ZIP archive containing a JSP webshell at appsrv/apache-tomcat/webapps/admin/error/shell.jsp, then POSTs that archive to the target's /admin/files-upload/z endpoint. After upload, it sends a GET request to /admin/error/shell.jsp with a cmd parameter, causing the JSP to execute arbitrary shell commands through /bin/bash -c and return the output. The included demonstration command is 'sudo /usr/bin/timeout --foreground -s SIGKILL 10 /bin/id', which suggests the author expects elevated execution context and is attempting to demonstrate root-level command execution. Overall, this is a real exploit rather than a detector: it weaponizes an unauthenticated upload primitive into remote code execution by planting a server-side webshell. It is operational but basic, with a hardcoded JSP payload and no advanced operator features such as cleanup, interactive shell management, authentication bypass logic beyond the assumed vulnerable endpoint behavior, or payload customization beyond manually changing the cmd parameter.

This repository is a small standalone Python exploit PoC consisting of a README and a single executable script, rce.py. The script targets Cisco ISE and explicitly labels itself as a PoC for CVE-2025-20282. Its purpose is unauthenticated remote code execution via a two-stage workflow: first, it builds an in-memory ZIP archive containing a JSP webshell; second, it uploads that archive to an administrative file-upload endpoint so the shell is written into the Tomcat webroot and becomes reachable over HTTPS. The exploit logic is straightforward. make_zip() creates a ZIP archive from attacker-controlled file paths and contents. upload() sends that ZIP to /admin/files-upload/z using a multipart/form-data POST request with TLS verification disabled. The embedded payload is a JSP webshell that reads the cmd query parameter, executes it through /bin/bash -c, redirects stderr to stdout, and returns command output in the HTTP response. execute() then calls the deployed shell at /admin/error/shell.jsp with a chosen command. In main(), the operator supplies a target hostname or IP on the command line. The script uploads the ZIP with the internal path appsrv/apache-tomcat/webapps/admin/error/shell.jsp, then invokes the shell with the command sudo /usr/bin/timeout --foreground -s SIGKILL 10 /bin/id. This demonstrates post-exploitation command execution and suggests the exploit author expects privilege escalation or privileged command execution in the target environment. Overall, this is a real exploit rather than a detector. It is operational but simple: it contains a hardcoded JSP webshell payload and a fixed demonstration command, with no advanced operator controls, persistence management, or framework integration.

This repository contains a proof-of-concept exploit for CVE-2025-20282, targeting Cisco Identity Services Engine (ISE). The main file, 'CVE-2025-20282 - v2.py', is a Python script that creates a ZIP archive containing a modified version of the 'isehourlycron.sh' shell script (normally found at /opt/CSCOcpm/bin/ on the target). The script injects an attacker-supplied command into this shell script unless the '--reset' flag is used, in which case it restores the original content. The ZIP file is then uploaded via an unauthenticated POST request to the '/admin/files-upload/' endpoint on the target Cisco ISE instance. Once uploaded, the ZIP is extracted on the target, and the modified shell script is executed as root by a cron job, resulting in remote code execution as root. The repository consists of the exploit script and a README.md explaining the vulnerability and usage. The exploit requires network access to the target's HTTPS interface and leverages a file upload vulnerability to achieve code execution.