Critical Cisco ISE Flaws Enable Authenticated RCE and File Exposure
Cisco disclosed two vulnerabilities in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that can allow authenticated attackers to execute malicious code and access sensitive files. The most severe flaw, CVE-2026-20147 with a CVSS 9.9, is an authenticated remote code execution issue that can provide user-level operating system access and may be escalated to root. A second flaw, CVE-2026-20148 with a CVSS 4.9, is an authenticated path traversal vulnerability that can expose files from the underlying operating system.
Timeline
Apr 20, 2026
Cisco discloses additional ISE and Webex flaws with security updates
On 2026-04-20, Cisco disclosed additional vulnerabilities affecting ISE, ISE-PIC, and Webex Services, including ISE command-execution flaws CVE-2026-20180 and CVE-2026-20186 and Webex SSO certificate validation flaw CVE-2026-20184. Cisco released software updates, said it had not observed active exploitation, and advised customers to patch immediately because no workarounds were available.
Apr 17, 2026
Belgium CCB warns organizations to patch Cisco ISE vulnerabilities
On 2026-04-17, Belgium's Centre for Cybersecurity Belgium (CCB) published an advisory warning about multiple critical Cisco ISE vulnerabilities that could lead to remote code execution and urged immediate patching. This reflects official downstream alerting to affected organizations following Cisco's disclosure.
Apr 15, 2026
Cisco discloses two Cisco ISE vulnerabilities and releases fixes
On 2026-04-15, Cisco published a security advisory for two vulnerabilities affecting Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC): CVE-2026-20147, a critical authenticated remote code execution flaw (CVSS 9.9), and CVE-2026-20148, an authenticated path traversal flaw (CVSS 4.9). Cisco said there were no workarounds, advised administrators to upgrade to fixed releases immediately, and stated it was not aware of public exploitation at the time of publication.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
Cisco ISE Flaws Enable Authenticated Remote Code Execution and Root Escalation
Cisco disclosed two high-severity vulnerabilities in **Cisco Identity Services Engine (ISE)**, tracked as `CVE-2026-20180` and `CVE-2026-20186`, that allow an authenticated attacker to execute arbitrary commands on the underlying operating system by sending crafted HTTP requests. Both issues require at least **Read Only Admin** credentials and stem from insufficient validation of user-supplied input; Cisco mapped the flaws to **`CWE-22`** and **`CWE-77`** respectively. Cisco assigned both vulnerabilities the same **CVSS v3.1** score vector: `AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H`. Successful exploitation can provide user-level operating system access and may allow attackers to escalate privileges to **root**. Cisco warned that in **single-node ISE deployments**, exploitation could also make the affected node unavailable, creating a denial-of-service condition that prevents unauthenticated endpoints from accessing the network until the system is restored.
2 weeks ago
Critical Unauthenticated RCE Flaws Patched in Cisco ISE and ISE-PIC
Cisco disclosed two critical vulnerabilities in **Identity Services Engine (ISE)** and **ISE Passive Identity Connector (ISE-PIC)** that allow unauthenticated remote attackers to execute arbitrary code on the underlying operating system with **root privileges**. The flaws, tracked as `CVE-2025-20281` and `CVE-2025-20282`, are independent issues, meaning exploitation of one is not required to exploit the other. `CVE-2025-20281` affects Cisco ISE and ISE-PIC **version 3.3 and later**, while `CVE-2025-20282` affects **version 3.4 only**; Cisco said **version 3.2 and earlier are not affected**. Cisco also warned that `CVE-2025-20282` can enable arbitrary file upload and execution on vulnerable devices. Patches have been released, and organizations running affected deployments have been urged to update immediately.
1 weeks ago
Cisco Identity Services Engine XML External Entity Vulnerability
Cisco has disclosed and patched a vulnerability (CVE-2026-20029) in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that allows authenticated attackers with administrative privileges to exploit improper XML parsing in the web-based management interface. By uploading a malicious file, an attacker could read arbitrary files from the underlying operating system, potentially accessing sensitive data that should not be available even to administrators. Cisco has confirmed that there is public proof-of-concept exploit code available, though there is no evidence of active exploitation at this time. The company strongly recommends upgrading to the fixed software versions, as no workarounds are available and mitigations are only temporary. The vulnerability affects all versions of Cisco ISE and ISE-PIC prior to the fixed releases, with specific patches available for versions 3.2, 3.3, and 3.4, while version 3.5 is not vulnerable. Cisco emphasizes the importance of prompt patching to prevent potential exploitation, especially given the availability of exploit code. The flaw is rated with a CVSS base score of 4.9 and is due to improper XML external entity processing (CWE-611).
1 months ago