Cisco addressed CVE-2026-20181, a critical ISE vulnerability that lets authenticated admins execute commands and gain root access.
Cisco addressed a critical command execution vulnerability, tracked as CVE-2026-20181 (CVSS score of 9.1), affecting Identity Services Engine (ISE) and ISE-PIC. The flaw stems from improper validation of user-supplied input, allowing an authenticated attacker with administrative credentials to send crafted HTTP requests and execute commands on the underlying operating system. Successful exploitation can lead to privilege escalation and full root access.
According to the advisory, only an attacker with valid administrative credentials can exploit this vulnerability.
“This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root.” reads the advisory. “In single-node deployments, successful exploitation of this vulnerability could cause the affected ISE node to become unavailable, resulting in a denial of service (DoS) condition. In that condition, endpoints that have not already authenticated would be unable to access the network until the node is restored.”
In single-node deployments, attackers could exploit the flaw to trigger a denial-of-service condition, blocking unauthenticated endpoints from accessing the network until recovery.
Cisco fixed the issue in ISE/ISE-PIC 3.3 Patch 11 and 3.4 Patch 6, while a hotfix is available for version 3.5 and will be included in Patch 4 scheduled for August.
Cisco also patched CVE-2026-20190 (CVSS score of 7.5), a high-severity information disclosure flaw that could expose sensitive data, including hashed credentials, to unauthenticated attackers.
“This vulnerability is due to improper authorization checks when a resource is accessed. An attacker could exploit this vulnerability by sending crafted traffic to an affected device.” states the advisory. “A successful exploit could allow the attacker to gain access to sensitive information, including hashed credentials that could be used in future attacks.”
The Cisco Product Security Incident Response Team (PSIRT) is not aware of attacks in the wild exploiting one of these vulnerabilities.
Additional information is available on the security advisories page.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Identity Services Engine)
