Cisco has disclosed two severe vulnerabilities in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) platform, enabling remote code execution and unauthenticated credential theft, with no workarounds available and immediate patching required.
Cisco issued Advisory ID cisco-sa-ise-multi-G5WP8vv on June 17, 2026, warning enterprise network administrators of dual attack vectors in one of the industry’s most widely deployed network access control (NAC) solutions.
The vulnerabilities, tracked as CVE-2026-20181 and CVE-2026-20190, affect Cisco ISE and ISE-PIC regardless of device configuration, meaning no deployment type is immune.
Cisco Identity Services Engine is a policy-based network access control and identity management platform used by enterprises globally to authenticate users and devices, enforce security policies, and provide visibility across network infrastructure.
ISE sits at the core of Zero Trust architectures, making vulnerabilities in this platform especially high-impact, a compromised ISE node can destabilize an entire organization’s network access policy framework.
Because ISE manages authentication for potentially thousands of endpoints, attackers who compromise it gain privileged insight into the full identity and access ecosystem of a target organization.
The first and more severe flaw, CVE-2026-20181, carries a CVSS Base Score of 9.1 (Critical) with the vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H, classified under CWE-22 (Path Traversal).
This vulnerability exists due to insufficient validation of user-supplied input, allowing an authenticated attacker with valid administrative credentials to send a specially crafted HTTP request to the affected device.
A successful exploit allows the attacker to gain user-level access to the underlying operating system and subsequently escalate privileges to root, achieving full system control.
In single-node ISE deployments, successful exploitation can render the ISE node completely unavailable, creating a denial-of-service (DoS) condition that blocks unauthenticated endpoints from accessing the network until the node is restored. Cisco Bug ID CSCwt22913 tracks this issue.
This vulnerability was independently reported by Jonathan Lein of TrendAI Research, and separately by Li Jiantao and Tevel Sho of STAR Labs SG Pte. Ltd. Underscoring how close to active exploitation this flaw may be, given the dual independent discovery.
The second flaw, CVE-2026-20190, is classified as High severity with a CVSS Base Score of 7.5, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, and is rooted in CWE-285 (Improper Authorization).
Unlike CVE-2026-20181, this vulnerability requires no authentication whatsoever, any unauthenticated remote attacker can exploit it by sending crafted traffic to an affected device.
The root cause is improper authorization checks when a resource is accessed, allowing attackers to bypass access controls and reach sensitive data endpoints.
A successful exploit exposes hashed credentials stored on the ISE appliance, which can then be leveraged in offline brute-force or pass-the-hash attacks in subsequent intrusion stages, creating a dangerous chained attack path when combined with CVE-2026-20181. Cisco Bug ID CSCwt22936 tracks this flaw, reported by Bobby Gould of TrendAI Zero Day Initiative.
Security researchers note that these two vulnerabilities are independent and do not require each other to be exploited, but their combination creates a particularly lethal attack chain.
An attacker could first exploit CVE-2026-20190 without credentials to harvest hashed credentials, crack or replay them to obtain administrative access, and then pivot to CVE-2026-20181 to achieve full root code execution on the ISE system.
This “unauthenticated-to-root” chaining scenario represents an exceptionally high risk for organizations that have ISE admin interfaces exposed to broader internal zones, VPN concentrators, or inadvertently to the internet.
Cisco PSIRT has confirmed no public exploitation or active in-the-wild abuse has been observed at the time of disclosure, but the dual independent discovery of CVE-2026-20181 suggests significant researcher interest in this attack surface.
Affected Versions
All Cisco ISE and ISE-PIC releases are affected regardless of device configuration. The table below outlines the fixed release matrix:
| ISE / ISE-PIC Release | Fix for CVE-2026-20181 | Fix for CVE-2026-20190 |
|---|---|---|
| Earlier than 3.3 | Migrate to fixed release | Not vulnerable |
| 3.3 | 3.3 Patch 11 | Not vulnerable |
| 3.4 | 3.4 Patch 6 | 3.4 Patch 6 |
| 3.5 | 3.5 Patch 4 (Aug 2026) | 3.5 Patch 3 |
Note: Cisco ISE-PIC has reached the end of sale, and Release 3.4 is its last supported version. For ISE 3.5 users who need an immediate fix for CVE-2026-20181 before the August 2026 patch release, a hot patch is available on request through the Cisco Technical Assistance Center (TAC).
Mitigation
Since Cisco explicitly confirms no workarounds exist for either vulnerability, organizations must take the following actions immediately:
- Upgrade immediately to the applicable fixed release per the matrix above, 3.3 Patch 11, 3.4 Patch 6, or 3.5 Patch 3/4
- Restrict administrative access to ISE and ISE-PIC management interfaces to hardened, isolated management networks only
- Block public internet access to the ISE admin console if currently exposed through VPN concentrators or legacy setups
- Enforce MFA on all ISE administrative roles and audit authentication logs for unexpected admin sessions
- Monitor ISE nodes for unexpected child processes spawned by the web service account and anomalous outbound traffic
- Contact Cisco TAC if running ISE 3.5 and requiring the hot patch before the August 2026 scheduled release
| Attribute | CVE-2026-20181 | CVE-2026-20190 |
|---|---|---|
| Type | Remote Code Execution | Information Disclosure |
| CVSS Score | 9.1 (Critical) | 7.5 (High) |
| Authentication | Required (Admin) | Not Required |
| CWE | CWE-22 | CWE-285 |
| Impact | RCE + Root Escalation + DoS | Hashed Credential Exposure |
| Bug ID | CSCwt22913 | CSCwt22936 |
| Reported by | TrendAI Research / STAR Labs SG | TrendAI Zero Day Initiative |
FAQ
Q1: Does CVE-2026-20190 require authentication to exploit?
No, CVE-2026-20190 is exploitable by any unauthenticated remote attacker who can send crafted traffic to an affected ISE device, making it immediately accessible to external threat actors.
Q2: Can CVE-2026-20181 and CVE-2026-20190 be chained together in a real attack?
Yes, attackers can first use CVE-2026-20190 to steal hashed credentials without authentication, then use those credentials to authenticate and exploit CVE-2026-20181 for full root-level code execution.
Q3: Is there a workaround available while patching is being planned?
No, Cisco explicitly states there are no workarounds for either vulnerability; immediate upgrade to a fixed software release is the only remediation.
Q4: Which Cisco ISE version is the first fixed release that addresses both CVE-2026-20181 and CVE-2026-20190 simultaneously?
Cisco ISE 3.4 Patch 6 is the first release that addresses both vulnerabilities simultaneously, making it the recommended target for organizations running the 3.4 branch.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
