Cisco has issued an emergency security advisory disclosing two critical-to-medium severity vulnerabilities in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) platforms.
The remote code execution flaw earned a near-maximum CVSS score of 9.9, demanding immediate patching across all enterprise deployments.
Cisco Identity Services Engine is the backbone of enterprise network access control (NAC) and zero-trust architectures. It authenticates and authorizes users, devices, and endpoints connecting to corporate networks, making it one of the most security-critical platforms in any large organization’s infrastructure.
A successful compromise of Cisco ISE doesn’t just expose a single device; it can cascade into full network access control bypass, enabling attackers to move laterally across the enterprise undetected.
Published on April 15, 2026, the advisory covers two distinct vulnerabilities, CVE-2026-20147 and CVE-2026-20148, affecting Cisco ISE and ISE-PIC regardless of device configuration.
The vulnerabilities are independent of each other; exploiting one does not require exploiting the other, and a software release affected by one may not be affected by the other. Jonathan Lein of TrendAI Research responsibly reported the flaws.
CVE-2026-20147: Remote Code Execution With Root Escalation (CVSS 9.9)
The more severe of the two flaws, CVE-2026-20147, carries a CVSS 3.1 base score of 9.9 with a vector of AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H indicating network-accessible, low-complexity exploitation requiring only low-privilege authenticated access.
The vulnerability stems from insufficient validation of user-supplied input in the web-based management interface. An attacker with valid administrative credentials can send a specially crafted HTTP request to trigger arbitrary command execution on the underlying operating system.
Once initial access is obtained, the attacker can escalate privileges to root, gaining complete control over the affected ISE node.
The impact extends beyond data compromise. In single-node ISE deployments, successful exploitation can render the ISE node completely unavailable, creating a denial-of-service (DoS) condition that prevents unauthenticated endpoints from accessing the network until the node is restored.
For organizations that rely on ISE as the sole network gatekeeper, this could result in a complete network lockdown during an active attack classified under CWE-77 (Command Injection).
This vulnerability represents a textbook example of why enterprise authentication platforms require rigorous input sanitization at every API endpoint.
CVE-2026-20148: Path Traversal Enables Sensitive File Exfiltration (CVSS 4.9)
The second vulnerability, CVE-2026-20148 (Bug ID: CSCws52717), is rated Medium severity with a CVSS score of 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N), requiring high-privilege administrative credentials.
Classified under CWE-22 (Path Traversal), this flaw arises from improper validation of user-supplied input, allowing an authenticated attacker to craft HTTP requests that traverse directory boundaries on the underlying operating system.
A successful exploit enables the attacker to read arbitrary files, including sensitive configuration data, authentication certificates, private keys, and other restricted system files that should remain inaccessible even to administrative accounts.
Path traversal vulnerabilities in network access control platforms are particularly dangerous because ISE stores highly sensitive authentication data.
Exposing these files could give threat actors the keys needed to forge authentication sessions, impersonate trusted devices, or establish persistent backdoors.
Affected Versions and Fixed Releases
These vulnerabilities affect all configurations of Cisco ISE and Cisco ISE-PIC. The following table summarizes the patched release timeline:
| Cisco ISE / ISE-PIC Release | First Fixed Release |
|---|---|
| Earlier than 3.1 | Migrate to a fixed release |
| 3.1 | 3.1 Patch 11 (Apr 2026) |
| 3.2 | 3.2 Patch 10 (Apr 2026) |
| 3.3 | 3.3 Patch 11 (Apr 2026) |
| 3.4 | 3.4 Patch 6 (Apr 2026) |
| 3.5 | 3.5 Patch 3 |
Note: Cisco ISE-PIC has reached end-of-sale. Release 3.4 is the last supported version for ISE-PIC.
No Workarounds Available – Patch Is the Only Remediation
Cisco explicitly states that no workarounds exist for either vulnerability. This is a critical detail for security teams: there are no compensating controls, firewall rules, or configuration changes that mitigate the risk short of applying the official patches.
Organizations running Cisco ISE in their network access control infrastructure are strongly urged to apply the relevant patches immediately, given the critical severity of CVE-2026-20147 and the absence of any viable workaround.
Frequently Asked Questions (FAQs)
Q1: Does exploiting CVE-2026-20147 require unauthenticated access?
No, an attacker must possess valid administrative credentials to exploit either vulnerability in this advisory.
Q2: Can CVE-2026-20147 and CVE-2026-20148 be chained together in a single attack?
The vulnerabilities are independent and do not depend on each other for exploitation, though a combined attack could enable both RCE and sensitive file exfiltration.
Q3: Is Cisco ISE-PIC also affected by these vulnerabilities?
Yes, Cisco ISE-PIC is explicitly listed as a vulnerable product, though its last supported release is 3.4 due to its end-of-sale status.
Q4: Has Cisco observed any active exploitation of CVE-2026-20147 or CVE-2026-20148 in the wild?
As of April 15, 2026, Cisco PSIRT has confirmed that there have been no public announcements or malicious exploitation of these vulnerabilities.
Site: thecybrdef.com
About the Author
