PoC Exploit Published for Actively Exploited Cisco Identity Services Engine Flaw

Security researchers have published a detailed proof-of-concept exploit for a critical vulnerability in Cisco Identity Services Engine (ISE) that allows attackers to achieve remote code execution without authentication.

The flaw, tracked as CVE-2025-20281, affects the widely-deployed network access control platform and has been actively exploited in the wild.

Critical Zero-Day Vulnerability Exposed

The vulnerability was initially reported to the Trend Zero Day Initiative (ZDI) on January 25, 2025, by security researcher Kentaro Kawane of GMO Cybersecurity by Ierae.

The flaw exists in the enableStrongSwanTunnel method of the DescriptionRegistrationListener class, where unsafe deserialization of untrusted data creates a pathway for attackers to execute arbitrary commands with root privileges.

Bobby Gould, a security researcher analyzing the vulnerability, discovered that the same function contained an additional command injection vulnerability.

This dual-threat scenario prompted Cisco to initially assign both issues the same CVE identifier, though they later issued a separate CVE-2025-20337 to fully address all attack vectors.

The exploit chain is particularly sophisticated, requiring attackers to bypass Java’s string tokenization mechanisms and escape from a Docker container to achieve full system compromise.

The vulnerability allows attackers to send malicious serialized Java objects to the /deployment-rpc/enableStrongSwanTunnel endpoint, which processes the input without proper validation.

The command injection occurs when user-supplied data is concatenated directly into a sudo command that executes a shell script with elevated privileges.

However, exploitation proved challenging due to Java’s StringTokenizer class, which splits command strings on whitespace characters without respecting quotes or backticks.

Researchers overcame this limitation by leveraging Bash’s Internal Field Separator (${IFS}) variable, replacing spaces in malicious commands to maintain payload integrity through Java’s tokenization process.

This technique allowed the injection of arbitrary commands into the configureStrongSwan.sh script execution flow.

The vulnerability becomes even more dangerous because the affected code executes within a privileged Docker container named strongswan-container.

Exploiting this configuration, researchers demonstrated a complete container escape using Linux cgroup manipulation techniques.

The escape method involves mounting a cgroup filesystem, configuring a release agent script, and triggering its execution on the host system when the cgroup is emptied.

This “User-Mode Helpers” technique, previously documented in security research, grants attackers root-level access to the underlying ISE server.

Cisco ISE is a cornerstone technology for enterprise network security, making this vulnerability particularly concerning for organizations worldwide.

The pre-authentication nature of the flaw means attackers require no valid credentials to begin exploitation attempts.

Organizations running affected Cisco ISE installations should immediately apply available security patches and monitor their systems for signs of compromise.

The publication of detailed exploit code significantly increases the risk of widespread attacks, making rapid remediation critical for maintaining network security posture.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now