Security researcher Bobby Gould has published a blog post demonstrating a complete exploit chain for CVE-2025-20281, an unauthenticated remote code execution vulnerability in Cisco Identity Services Engine (ISE). With sufficient time having passed, allowing administrators to apply the updates, Gould has now published his write-up, where he demonstrates triggering the command injection flaw in Cisco ISE via a serialized Java String[] payload. The critical vulnerability was first disclosed on June 25, 2025, with Cisco warning that it impacts ISE and ISE-PIC versions 3.3 and 3.4, allowing unauthenticated, remote attackers to upload arbitrary files to the target system and execute them with root privileges. The researcher achieves arbitrary command execution as root inside a Docker container by exploiting the behavior of Java's Runtime.exec() and using ${IFS} to bypass argument tokenization issues. Finally, Gould demonstrates how to escape from the privileged Docker container and gain root access on the host system using a well-known Linux container escape technique based on cgroups and release_agent. On July 22, 2025, Cisco marked both CVE-2025-20281 and CVE-2025-20337 as actively exploited in attacks, urging admins to apply the security updates as soon as possible. Although Gould's write-up isn't a weaponized exploit script hackers can directly plug into their attack chain, it provides all the technical details and payload structure necessary for skilled hackers to recreate the whole exploit. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 28 Jul 2025 17:30:17 +0000