Critical Cisco ISE Flaw Enables Remote Code Execution

Cisco has disclosed critical security vulnerabilities within its Identity Services Engine (ISE). These flaws could allow attackers to execute malicious code remotely and access sensitive data, posing a significant risk to enterprise networks.

The vulnerabilities, tracked as CVE-2026-20181 and CVE-2026-20190, were published under advisory ID cisco-sa-ise-multi-G5WP8vv on June 17, 2026.

With a CVSS score of 9.1, the flaws impact Cisco ISE and ISE Passive Identity Connector (ISE-PIC) deployments regardless of configuration.

The most severe issue, CVE-2026-20181, is a remote code execution (RCE) vulnerability caused by improper validation of user-supplied input.

An authenticated attacker with administrative privileges can exploit the flaw by sending a crafted HTTP request to the affected system.

Cisco ISE RCE Vulnerability

Successful exploitation allows attackers to execute arbitrary commands on the underlying operating system. Attackers may initially gain user-level access and then escalate their privileges to root, gaining full control of the device.

In single-node deployments, exploitation can also lead to a denial-of-service condition, preventing new endpoints from authenticating to the network until the system is restored. This could disrupt enterprise access control systems that rely on Cisco ISE.

The second flaw, CVE-2026-20190, is an information disclosure vulnerability caused by improper authorization checks. Unlike the RCE issue, this vulnerability can be exploited by an unauthenticated remote attacker.

By sending crafted requests, attackers may gain access to sensitive information stored on the device, including hashed credentials. These credentials could be leveraged in further attacks, increasing the risk of lateral movement within a network.

Cisco confirmed that all versions of ISE and ISE-PIC are affected, though specific vulnerabilities vary by release.

Cisco has released fixes for the vulnerabilities in ISE 3.3 Patch 11 and ISE 3.4 Patch 6, with a fix for ISE 3.5 Patch 4 planned for August 2026.

Earlier versions must be migrated to supported releases, and no workarounds are available, making patching the only effective mitigation.

Cisco’s Product Security Incident Response Team (PSIRT) stated that there is currently no evidence of active exploitation in the wild. However, given the high severity and ease of exploitation, organizations are strongly advised to prioritize updates.

The vulnerabilities were reported by security researchers from TrendAI, STAR Labs, and the Zero Day Initiative, highlighting coordinated industry efforts in responsible disclosure.

Organizations using Cisco ISE should immediately assess their exposure and upgrade to fixed software versions.

Additional defensive measures include: Restricting administrative access to trusted networks, Monitoring logs for suspicious HTTP requests, Reviewing authentication and privilege escalation activity.

These vulnerabilities underscore the critical role of identity infrastructure in enterprise security and the potential impact when such systems are compromised.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.