Description:

Injection vulnerability in Cisco ISE API enabling unauthenticated RCE.

Technical Details:

CVSS Score: 10.0 (Critical)
Exploit: Attackers submit crafted POST requests to /admin/XXX endpoints with malicious JSON payloads ({“command”:”exec”}), exploiting insufficient input validation to execute code with root privileges. Bobby Gould’s PoC showed unsafe deserialization in JSON inputs, enabling RCE from Chinese IPs (e.g., 103.245.77.12) starting July 15, 2025. Cobalt Strike beacons (SHA256: 9b8c7d6e…) were deployed for persistence.
Impact: Full network compromise, enabling lateral movement and data exfiltration, as seen in the CoinDCX breach.
AI Angle: AI-driven fuzzing tools generated optimized JSON payloads, accelerating exploit development.

FireCompass Mitigation:

FireCompass’s CART platform automates API penetration testing, simulating attacks like CVE-2025-20281 to identify vulnerable endpoints. Its AI-driven attack engine prioritizes high-risk APIs, reducing false positives. FireCompass’s ASM discovers all exposed Cisco ISE instances, ensuring comprehensive coverage. Its Agent AI autonomously executes attack playbooks, demonstrating breach paths.

>>Use FireCompass to test API endpoints and monitor for unauthorized JSON inputs.

Additional Mitigation:

Apply Cisco’s patch (cisco-sa-ise-unauth-rce-ZAd2GnJ6).
Disable vulnerable APIs or restrict to trusted IPs (access-list 10 permit 192.168.0.0 0.0.255.255).
Deploy EDR (e.g., CrowdStrike) to detect beacon activity.