Critical Cisco ISE Flaws Let Remote Attackers Execute Code

An urgent security advisory from Cisco warns of multiple vulnerabilities affecting its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC).

According to the official Cisco security advisory published on April 15, 2026, these flaws could allow an authenticated remote attacker to execute arbitrary commands on affected devices.

They may also enable path traversal attacks, a recurring and critical threat vector in enterprise network infrastructure.

Cisco ISE RCE Vulnerability

The advisory notes that two independent vulnerabilities, devices affected by one may not be impacted by the other, and exploitation of one is not required for the other.

The most severe flaw, CVE-2026-20147 (CVSS 9.9), is a critical remote code execution (RCE) vulnerability caused by insufficient validation of user-supplied input.

An attacker with valid administrative credentials could exploit this by sending a specially crafted HTTP request to the targeted device.

A successful attack grants user-level access to the underlying operating system, allowing the attacker to escalate privileges to root.

In single-node ISE deployments, exploiting this vulnerability could cause the node to crash, triggering a denial-of-service (DoS) condition.

Unauthenticated endpoints cannot access the network until administrators fully restore the system.

The second flaw, CVE-2026-20148 (CVSS 4.9), is a path-traversal vulnerability that requires valid admin credentials and is caused by improper input validation.

By sending a crafted HTTP request, an attacker could perform path traversal attacks to access and read sensitive, arbitrary files directly from the underlying operating system.

Cisco confirms no workarounds are available and urges administrators to upgrade immediately to patched versions.

The required security updates are outlined below, following standard vulnerability reporting structures for system administrators:

• Releases older than 3.1: Migrate to a supported, fixed release.
• Release 3.1: Upgrade to 3.1 Patch 11.
• Release 3.2: Upgrade to 3.2 Patch 10.
• Release 3.3: Upgrade to 3.3 Patch 11.
• Release 3.4: Upgrade to 3.4 Patch 6.
• Release 3.5: Upgrade to 3.5 Patch 3.

Administrators should note that Cisco ISE-PIC release 3.4 is the final supported version, as the product has officially reached its end-of-sale date.

The vulnerabilities were discovered and reported to Cisco by security researcher Jonathan Lein of TrendAI Research.

At the time of the advisory’s publication, the Cisco Product Security Incident Response Team (PSIRT) stated that they are not aware of any public announcements or active malicious exploitation of these vulnerabilities in the wild.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.