思科 ISE API 未认证远程代码执行漏洞

攻击者可以利用此漏洞在受影响的设备上上传恶意文件，并随后在操作系统上执行这些文件，以 root 权限运行。这可能导致攻击者完全控制受影响的 Cisco ISE 设备，包括访问敏感数据、修改配置、安装恶意软件，甚至利用该设备作为跳板攻击网络中的其他系统。由于该漏洞无需身份验证，攻击者可以从外部网络发起攻击，使得攻击面非常广泛。此漏洞的潜在影响类似于其他 RCE 漏洞，例如 Log4Shell，可能导致大规模的安全事件。

Organizations heavily reliant on Cisco ISE for network access control are at significant risk. This includes enterprises, educational institutions, and government agencies. Environments with legacy ISE deployments or those lacking robust security monitoring practices are particularly vulnerable. Shared hosting environments utilizing Cisco ISE are also at increased risk due to the potential for cross-tenant exploitation.

• linux / server: Monitor ISE logs (typically located in /var/log/ise/) for unusual file uploads or execution attempts. Use journalctl -f to monitor real-time log activity.

journalctl -f | grep -i "upload" | grep -i "execute"

• cisco: Use Cisco's Security Monitoring and Threat Detection (SMTD) tools to detect suspicious file upload patterns and unauthorized access attempts. Check Cisco's Threat Response Intelligence Center (CTRIC) for relevant signatures. • generic web: Monitor network traffic for unusual HTTP POST requests to ISE API endpoints, especially those related to file uploads. Use curl to test endpoint exposure.

curl -v -X POST -F "[email protected]" <ISE_IP>/api/upload

1. 2025-06-25Disclosure

   disclosure

1. 已保留2024-10-10
2. 发布日期2025-06-25
3. 修改日期2026-02-26
4. EPSS 更新日期2026-03-23

Cisco 建议用户尽快升级至修复版本。如果无法立即升级，可以考虑以下缓解措施：限制对受影响的内部 API 的访问，仅允许授权用户访问；实施严格的文件上传验证，确保上传的文件类型和大小符合预期；使用 Web 应用防火墙 (WAF) 或代理服务器来过滤恶意请求；监控系统日志，检测异常的文件上传活动。升级后，请验证修复是否成功，例如通过尝试上传一个已知恶意文件并确认其被拒绝。