A critical security advisory disclosing multiple vulnerabilities in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that could allow authenticated remote attackers to execute arbitrary code and conduct path traversal attacks on affected systems.
The advisory, published on April 15, 2026, addresses two CVEs CVE-2026-20147 and CVE-2026-20148 tracked under CWE-22 (Path Traversal) and CWE-77 (Command Injection). Cisco has confirmed no workarounds are available, making patching the only viable remediation path.
CVE-2026-20147: Remote Code Execution
The more severe of the two flaws, CVE-2026-20147, carries a CVSS base score of 9.9 (Critical) with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. The vulnerability stems from insufficient validation of user-supplied input within Cisco ISE and ISE-PIC.
An attacker with valid administrative credentials could exploit this flaw by sending a specially crafted HTTP request to the affected device.
A successful exploit grants the attacker user-level access to the underlying operating system, with the ability to escalate privileges to root.
In single-node ISE deployments, exploitation could also trigger a denial-of-service (DoS) condition, preventing unauthenticated endpoints from accessing the network until the node is fully restored.
CVE-2026-20148: Path Traversal
The second vulnerability, CVE-2026-20148, scores 4.9 (Medium) on the CVSS scale. Caused by improper validation of user input.
This flaw allows an attacker with administrative credentials to send crafted HTTP requests and traverse the underlying file system to read arbitrary sensitive files from the affected device.
While this vulnerability is classified as medium severity, it poses a significant risk in environments where sensitive configuration data, credentials, or network policies are stored on ISE nodes.
Affected Products and Fixed Releases
Both vulnerabilities affect Cisco ISE and Cisco ISE-PIC regardless of device configuration. Cisco has released the following patches to address these flaws:
- Release 3.1 — Fixed in 3.1 Patch 11 (April 2026)
- Release 3.2 — Fixed in 3.2 Patch 10 (April 2026)
- Release 3.3 — Fixed in 3.3 Patch 11 (April 2026)
- Release 3.4 — Fixed in 3.4 Patch 6 (April 2026)
- Release 3.5 — Fixed in 3.5 Patch 3
- Releases earlier than 3.1 — Migrate to a fixed release immediately
Cisco ISE-PIC has reached end-of-sale, with Release 3.4 being its last supported version.
The Cisco Product Security Incident Response Team (PSIRT) has stated it is not aware of any public announcements or active malicious exploitation of these vulnerabilities. The flaws were responsibly disclosed by Jonathan Lein of TrendAI Research.
Organizations running Cisco ISE in their network access control infrastructure are strongly urged to apply the relevant patches immediately to mitigate exposure.
No Comment! Be the first one.