Safety researcher Bobby Gould has printed a weblog submit displaying the whole exploit chain for CVE-2025-20281.
The important vulnerability was first disclosed on June 25, 2025, and Cisco warns that it’s going to have an effect on ISE and ISE-PIC variations 3.3 and three.4, permitting an unrecognized distant attacker to add any file to the goal system and run it with root privileges.
This downside stems from the insecure aerialization and command injection of the EnableStrongswantunnel() technique.
Three weeks later, the seller added one other flaw to the identical bulletin, CVE-2025-20337.
Hotfixes had been beforehand out there, however Cisco has urged customers to replace to three.3 patch 7 and three.4 patch 2 to handle each vulnerabilities.
On July 22, 2025, Cisco urged directors to actively exploit each CVE-2025-20281 and CVE-2025-20337 in assaults, urging directors to use safety updates as quickly as attainable.
After ample time has handed for directors to use the replace, Gould printed his article. He demonstrates triggering a command injection defect in Cisco ISE through a serialized Java String() payload.
Researchers leverage the habits of Java’s runtime.exec() to attain arbitrary command execution as the foundation inside a Docker container by bypassing the argument tokenization downside utilizing ${ifs}.
Lastly, Gould exhibits find out how to escape from a privileged Docker container and acquire root entry to the host system utilizing the well-known Linux container escape approach primarily based on cgroups and release_agent.
Supply: Zerodayinitiative.com
Gould’s article is just not a weaponized exploit script, however hackers can join on to the assault chain, but it surely gives all of the technical particulars and payload construction {that a} expert hacker wants to duplicate your entire exploit.
Even when lively wild exploitation is already underway, the discharge of this exploit will improve malicious exercise.
There is no such thing as a workaround for this vulnerability, so it’s a really useful plan of action to use patches directed on the vendor’s bulletin.
