CVE-2025-20281

CRITICAL KEV NUCLEI

Cisco Identity Services Engine - Unauthenticated Remote Code Execution via API Request

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-20281 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added July 28, 2025. EIP tracks 3 public exploits from researchers including abrewer251, grupooruss, ill-deed. A Nuclei detection template is also available.

AI-analyzed exploit summary This is a functional Python PoC for CVE-2025-20281, exploiting an unauthenticated RCE vulnerability in Cisco ISE's ERS API by injecting shell commands into the 'InternalUser' resource. It supports both a simple 'whoami' check and a reverse shell payload.

Description

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this vulnerability. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device.

Exploits (3)

nomisec WORKING POC 20 stars
by abrewer251 · remote
https://github.com/abrewer251/CVE-2025-20281-2-Cisco-ISE-RCE

This is a functional Python PoC for CVE-2025-20281, exploiting an unauthenticated RCE vulnerability in Cisco ISE's ERS API by injecting shell commands into the 'InternalUser' resource. It supports both a simple 'whoami' check and a reverse shell payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Cisco Identity Services Engine (ISE) ERS API
No auth needed
Prerequisites: Python 3.6+ · requests library · urllib3 library · network access to target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 6 stars
by grupooruss · poc
https://github.com/grupooruss/CVE-2025-20281-Cisco

This repository contains a Python script that checks for the presence of CVE-2025-20281, an unauthenticated RCE vulnerability in Cisco ISE. The script sends a crafted payload to a specific API endpoint and analyzes the response for signs of vulnerability.

Classification
Scanner 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: Cisco Identity Services Engine (ISE), Cisco ISE-PIC
No auth needed
Prerequisites: Network access to the target system · Python 3.x with requests library
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 5 stars
by ill-deed · remote
https://github.com/ill-deed/Cisco-CVE-2025-20281-illdeed

This is a functional Python PoC exploit for CVE-2025-20281, targeting an unauthenticated RCE vulnerability in Cisco ISE ERS API via command injection in the 'InternalUser' name parameter. It supports arbitrary command execution, reverse shells, and basic testing.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Cisco Identity Services Engine (ISE) with ERS API enabled
No auth needed
Prerequisites: Network access to Cisco ISE PAN on port 9060 · ERS API endpoint exposed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Cisco ISE - Remote Code Execution
CRITICALVERIFIEDby daffainfo
Shodan: "Set-Cookie: APPSESSIONID=" "Path=/admin"
FOFA: title="identity services engine"

References (3)

Core 3

Scores

CVSS v3 10.0
EPSS 0.3348
EPSS Percentile 97.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2025-07-28
VulnCheck KEV 2025-07-13
ENISA EUVD EUVD-2025-19167
CWE
CWE-74
Status published
Products (4)
cisco/identity_services_engine 3.3.0 (7 CPE variants)
cisco/identity_services_engine 3.4.0 (2 CPE variants)
cisco/identity_services_engine_passive_identity_connector 3.3.0 (7 CPE variants)
cisco/identity_services_engine_passive_identity_connector 3.4.0 (2 CPE variants)
Published Jun 25, 2025
KEV Added Jul 28, 2025
Tracked Since Feb 18, 2026