Cisco has disclosed critical vulnerabilities in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that could enable attackers to execute malicious code remotely and access sensitive data, posing significant risks to enterprise networks.
The vulnerabilities, identified as CVE-2026-20181 and CVE-2026-20190, were detailed in advisory ID cisco-sa-ise-multi-G5WP8vv on June 17, 2026. Both carry a CVSS score of 9.1, indicating high severity, and affect all configurations of Cisco ISE and ISE-PIC deployments.
Remote Code Execution Vulnerability (CVE-2026-20181)
The more severe of the two, CVE-2026-20181, is a remote code execution (RCE) vulnerability resulting from improper validation of user-supplied input. An authenticated attacker with administrative privileges can exploit this flaw by sending a specially crafted HTTP request to the affected system. Successful exploitation allows the execution of arbitrary commands on the underlying operating system. Attackers may initially gain user-level access and then escalate privileges to root, achieving full control over the device.
In single-node deployments, exploitation can also lead to a denial-of-service condition, preventing new endpoints from authenticating to the network until the system is restored. This disruption could significantly impact enterprise access control systems that rely on Cisco ISE.
Information Disclosure Vulnerability (CVE-2026-20190)
The second vulnerability, CVE-2026-20190, involves improper authorization checks, allowing unauthenticated remote attackers to access sensitive information. By sending crafted requests, attackers may retrieve data stored on the device, including hashed credentials. These credentials could be leveraged in further attacks, increasing the risk of lateral movement within a network.
Affected Systems and Mitigation
All versions of Cisco ISE and ISE-PIC are affected by these vulnerabilities, though specific impacts may vary by release. Cisco has released fixes for ISE 3.3 Patch 11 and ISE 3.4 Patch 6, with a fix for ISE 3.5 Patch 4 planned for August 2026. Earlier versions must be migrated to supported releases, as no workarounds are available, making patching the only effective mitigation.
Cisco’s Product Security Incident Response Team (PSIRT) has stated that there is currently no evidence of active exploitation in the wild. However, given the high severity and ease of exploitation, organizations are strongly advised to prioritize updates.
The vulnerabilities were reported by security researchers from TrendAI, STAR Labs, and the Zero Day Initiative, highlighting coordinated industry efforts in responsible disclosure.
Organizations using Cisco ISE should immediately assess their exposure and upgrade to fixed software versions. Additional defensive measures include restricting administrative access to trusted networks, monitoring logs for suspicious HTTP requests, and reviewing authentication and privilege escalation activity.
These vulnerabilities underscore the critical role of identity infrastructure in enterprise security and the potential impact when such systems are compromised. Prompt action is essential to mitigate the risks associated with these flaws.
