Zero Day Initiative | Blog
Follow
CVE-2025-20281: Cisco ISE API Unauthenticated Remote Code Execution Vulnerability
A vulnerability in Cisco Identity Services Engine (ISE), specifically in the enableStrongSwanTunnel method, allowed command injection as root. This was initially reported as a deserialization vulnerability but also included a command injection flaw. The researcher, Kentaro Kawane, discovered that attacker-supplied data was used to execute shell scripts with sudo privileges. Exploitation proved more complex than initially anticipated due to how Java's exec() method tokenizes commands. Java's StringTokenizer ignores quotes, preventing direct command execution; however, the researcher circumvented this by using the bash Internal Field Separator (${IFS}) variable. This allowed injection of commands as a single argument, avoiding tokenization issues. The injected commands initially ran within a Docker container, but because the container ran in privileged mode, the researcher used a "User-Mode Helpers" technique to escape the container and gain root access on the host system. A base64 encoding was used to bypass the space character limitation in the payload. The complete exploit involved sending a specially crafted POST request to the vulnerable endpoint. This successful exploitation demonstrates a combination of vulnerabilities leading to complete system compromise. The researcher emphasizes the importance of understanding both Java's exec() behavior and the capabilities of privileged Docker containers. Further research into this area is planned.