Cisco Identity Services Engine XML External Entity Vulnerability
Cisco has disclosed and patched a vulnerability (CVE-2026-20029) in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that allows authenticated attackers with administrative privileges to exploit improper XML parsing in the web-based management interface. By uploading a malicious file, an attacker could read arbitrary files from the underlying operating system, potentially accessing sensitive data that should not be available even to administrators. Cisco has confirmed that there is public proof-of-concept exploit code available, though there is no evidence of active exploitation at this time. The company strongly recommends upgrading to the fixed software versions, as no workarounds are available and mitigations are only temporary.
The vulnerability affects all versions of Cisco ISE and ISE-PIC prior to the fixed releases, with specific patches available for versions 3.2, 3.3, and 3.4, while version 3.5 is not vulnerable. Cisco emphasizes the importance of prompt patching to prevent potential exploitation, especially given the availability of exploit code. The flaw is rated with a CVSS base score of 4.9 and is due to improper XML external entity processing (CWE-611).
Timeline
Jan 7, 2026
Cisco says no active exploitation has been observed
In its response to CVE-2026-20029, Cisco PSIRT stated it was not aware of any malicious use of the vulnerability in the wild at the time of disclosure. This assessment was repeated across subsequent coverage of the advisory and patch release.
Jan 7, 2026
Cisco publishes advisory and patches for CVE-2026-20029
Cisco disclosed CVE-2026-20029 in a security advisory and released software updates for affected ISE and ISE-PIC versions. Cisco said the issue stems from improper XML parsing in the web-based management interface and advised customers to upgrade because no effective workaround exists.
Jan 7, 2026
Public PoC exploit for CVE-2026-20029 becomes available
Public proof-of-concept exploit code was released for CVE-2026-20029, increasing the risk that attackers could abuse the file-read vulnerability in Cisco ISE and ISE-PIC. Multiple reports noted that the PoC was available before or at the time Cisco issued its advisory.
Jan 7, 2026
Trend Micro ZDI researcher reports Cisco ISE XML parsing flaw
Bobby Gould of Trend Micro's Zero Day Initiative discovered and reported CVE-2026-20029, an improper XML parsing vulnerability in Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC). The flaw allows authenticated administrators to read arbitrary sensitive files from the underlying operating system.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Organizations
Sources
1 more from sources like cisco product advisories
Related Stories
Critical Unauthenticated RCE Flaws Patched in Cisco ISE and ISE-PIC
Cisco disclosed two critical vulnerabilities in **Identity Services Engine (ISE)** and **ISE Passive Identity Connector (ISE-PIC)** that allow unauthenticated remote attackers to execute arbitrary code on the underlying operating system with **root privileges**. The flaws, tracked as `CVE-2025-20281` and `CVE-2025-20282`, are independent issues, meaning exploitation of one is not required to exploit the other. `CVE-2025-20281` affects Cisco ISE and ISE-PIC **version 3.3 and later**, while `CVE-2025-20282` affects **version 3.4 only**; Cisco said **version 3.2 and earlier are not affected**. Cisco also warned that `CVE-2025-20282` can enable arbitrary file upload and execution on vulnerable devices. Patches have been released, and organizations running affected deployments have been urged to update immediately.
1 weeks ago
Critical Cisco ISE Flaws Enable Authenticated RCE and File Exposure
Cisco disclosed two vulnerabilities in **Identity Services Engine (ISE)** and **ISE Passive Identity Connector (ISE-PIC)** that can allow authenticated attackers to execute malicious code and access sensitive files. The most severe flaw, **`CVE-2026-20147`** with a **CVSS 9.9**, is an authenticated remote code execution issue that can provide user-level operating system access and may be escalated to **root**. A second flaw, **`CVE-2026-20148`** with a **CVSS 4.9**, is an authenticated path traversal vulnerability that can expose files from the underlying operating system.
1 weeks ago
Cisco ISE Flaws Enable Authenticated Remote Code Execution and Root Escalation
Cisco disclosed two high-severity vulnerabilities in **Cisco Identity Services Engine (ISE)**, tracked as `CVE-2026-20180` and `CVE-2026-20186`, that allow an authenticated attacker to execute arbitrary commands on the underlying operating system by sending crafted HTTP requests. Both issues require at least **Read Only Admin** credentials and stem from insufficient validation of user-supplied input; Cisco mapped the flaws to **`CWE-22`** and **`CWE-77`** respectively. Cisco assigned both vulnerabilities the same **CVSS v3.1** score vector: `AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H`. Successful exploitation can provide user-level operating system access and may allow attackers to escalate privileges to **root**. Cisco warned that in **single-node ISE deployments**, exploitation could also make the affected node unavailable, creating a denial-of-service condition that prevents unauthenticated endpoints from accessing the network until the system is restored.
2 weeks ago