Critical Vulnerabilities in Cisco ISE Pose Remote Code Execution Risk

Networking giant Cisco has issued an urgent security advisory warning of two newly discovered vulnerabilities impacting its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC).

Cisco Identity Services Engine (ISE) is a widely deployed security policy management platform that provides secure access to enterprise network resources.

The most severe flaw could allow an authenticated, remote attacker to achieve full remote code execution (RCE) and compromise critical infrastructure. According to CIS, these vulnerabilities stem from improper input validation and directory traversal flaws.

The official Cisco advisory published on April 15, 2026 reveals these flaws reside in the web-based management interfaces of both products. While exploitation requires valid administrative credentials, the potential impact remains catastrophic, earning a critical severity rating.

Vulnerability Breakdown by Severity

The security bulletin outlines two distinct security flaws that operate independently. Threat actors do not need to chain these vulnerabilities together for successful exploits.

  • CVE-2026-20147 (CVSS 9.9 – Critical): This RCE vulnerability stems from insufficient validation of user-supplied input. Attackers can exploit this by sending maliciously crafted HTTP requests to an affected device. Successful exploitation grants user-level access to the underlying operating system, which can then be trivially elevated to root privileges. In single-node ISE deployments, this exploit can also trigger a complete denial of service (DoS), locking unauthenticated endpoints out of the network until full restoration.
  • CVE-2026-20148 (CVSS 4.9 – Medium): This path traversal flaw occurs due to improper input validation. Authenticated attackers can bypass directory restrictions via crafted HTTP requests to read arbitrary sensitive files on the underlying operating system.

Critical Patch Requirements

Cisco has confirmed no available workarounds exist to prevent exploitation. Organizations must immediately apply software updates:

  • Deployments on version 3.1 must upgrade to 3.1 Patch 11
  • Version 3.2 environments should apply 3.2 Patch 10
  • Version 3.3 systems need 3.3 Patch 11
  • Version 3.4 installations require 3.4 Patch 6
  • Version 3.5 networks must update to 3.5 Patch 3
  • Legacy versions prior to 3.1 require migration to a supported release

These critical vulnerabilities were discovered by security researcher Jonathan Lein of TrendAI Research. As of publication, Cisco PSIRT reports no public proof-of-concept exploits are known, but the CVSS 9.9 severity of the RCE flaw makes immediate patching essential before reverse-engineering occurs.

Related Articles

Back to top button