Cisco ISE Flaws Enable Authenticated Remote Code Execution and Root Escalation
Cisco disclosed two high-severity vulnerabilities in Cisco Identity Services Engine (ISE), tracked as CVE-2026-20180 and CVE-2026-20186, that allow an authenticated attacker to execute arbitrary commands on the underlying operating system by sending crafted HTTP requests. Both issues require at least Read Only Admin credentials and stem from insufficient validation of user-supplied input; Cisco mapped the flaws to CWE-22 and CWE-77 respectively. Cisco assigned both vulnerabilities the same CVSS v3.1 score vector: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.
Successful exploitation can provide user-level operating system access and may allow attackers to escalate privileges to root. Cisco warned that in single-node ISE deployments, exploitation could also make the affected node unavailable, creating a denial-of-service condition that prevents unauthenticated endpoints from accessing the network until the system is restored.
Timeline
Apr 16, 2026
Cisco patches critical Webex SSO impersonation flaw
Cisco released fixes for a critical Webex Services vulnerability caused by improper certificate validation in SSO integration that could let an unauthenticated remote attacker impersonate any user. The company said it had no evidence of in-the-wild exploitation and advised Webex SSO customers to upload a new identity provider SAML certificate in Control Hub.
Apr 15, 2026
Cisco discloses CVE-2026-20180 and CVE-2026-20186 in Identity Services Engine
Cisco published an advisory for two authenticated remote code execution vulnerabilities in Cisco Identity Services Engine (ISE), tracked as CVE-2026-20180 and CVE-2026-20186. Both flaws require at least Read Only Admin credentials and can allow arbitrary command execution on the underlying operating system, potentially leading to root privilege escalation and denial of service in single-node deployments.
Apr 15, 2026
Cisco adds CVE-2026-20147 for Cisco ISE and ISE-PIC RCE
Cisco disclosed CVE-2026-20147, an authenticated remote code execution flaw in Cisco Identity Services Engine and Cisco ISE Passive Identity Connector caused by insufficient validation of user-supplied input in crafted HTTP requests. Successful exploitation can yield user-level OS command execution, possible root privilege escalation, and in single-node ISE deployments may cause a denial-of-service condition.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
1 more from sources like cisco product advisories
Related Stories
Critical Cisco ISE Flaws Enable Authenticated RCE and File Exposure
Cisco disclosed two vulnerabilities in **Identity Services Engine (ISE)** and **ISE Passive Identity Connector (ISE-PIC)** that can allow authenticated attackers to execute malicious code and access sensitive files. The most severe flaw, **`CVE-2026-20147`** with a **CVSS 9.9**, is an authenticated remote code execution issue that can provide user-level operating system access and may be escalated to **root**. A second flaw, **`CVE-2026-20148`** with a **CVSS 4.9**, is an authenticated path traversal vulnerability that can expose files from the underlying operating system.
1 weeks ago
Critical Unauthenticated RCE Flaws Patched in Cisco ISE and ISE-PIC
Cisco disclosed two critical vulnerabilities in **Identity Services Engine (ISE)** and **ISE Passive Identity Connector (ISE-PIC)** that allow unauthenticated remote attackers to execute arbitrary code on the underlying operating system with **root privileges**. The flaws, tracked as `CVE-2025-20281` and `CVE-2025-20282`, are independent issues, meaning exploitation of one is not required to exploit the other. `CVE-2025-20281` affects Cisco ISE and ISE-PIC **version 3.3 and later**, while `CVE-2025-20282` affects **version 3.4 only**; Cisco said **version 3.2 and earlier are not affected**. Cisco also warned that `CVE-2025-20282` can enable arbitrary file upload and execution on vulnerable devices. Patches have been released, and organizations running affected deployments have been urged to update immediately.
1 weeks ago
Active Exploitation of Cisco ISE Zero-Day Vulnerability for Remote Code Execution
Hackers exploited a zero-day vulnerability in Cisco's Identity Services Engine (ISE), tracked as CVE-2025-20337, which allowed for pre-authentication remote code execution and administrator-level access to affected systems. Amazon Web Services researchers detected the campaign using their MadPot honeypot, observing that attackers deployed custom web shells disguised as legitimate Cisco ISE components, specifically `IdentityAuditAction`, and used Java APIs to inject themselves into running threads and monitor HTTP requests on Tomcat servers. The vulnerability, rated with a maximum CVSS score of 10, was actively exploited in the wild before Cisco had assigned a CVE or released comprehensive patches for all affected ISE branches. Cisco released a patch for the flaw in July after confirming in-the-wild exploitation, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) subsequently added CVE-2025-20337 to its Known Exploited Vulnerabilities catalog. AWS CISO CJ Moses highlighted that the attackers' use of "patch-gap exploitation"—targeting systems before official disclosure and patch availability—demonstrates the sophistication of threat actors who rapidly weaponize newly discovered vulnerabilities. Organizations using Cisco ISE are urged to ensure patches are applied and to monitor for signs of compromise, particularly the presence of suspicious web shells or unauthorized HTTP listeners.
1 months ago