Cisco Warns of Critical Identity Service Engine Flaw
▼ Summary
– Cisco has patched a critical vulnerability (CVE-2026-20029) in its Identity Services Engine (ISE) that allows privileged attackers to read sensitive system files.
– The flaw stems from improper XML parsing in the web interface and can be exploited by uploading a malicious file with admin credentials.
– Cisco strongly recommends upgrading to fixed software releases, as a public proof-of-concept exploit exists, though no active exploitation is confirmed.
– The article notes a history of severe Cisco ISE flaws, including a previously exploited zero-day (CVE-2025-20337) that allowed remote code execution.
– Cisco also recently addressed IOS XE vulnerabilities and warned of ongoing attacks exploiting an unpatched AsyncOS zero-day (CVE-2025-20393) in email security appliances.
Cisco has released a critical security patch for a vulnerability within its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) platforms. This flaw, designated CVE-2026-20029, could allow attackers with administrative access to read sensitive files from the underlying operating system. The issue stems from improper XML parsing within the web-based management interface, which can be exploited by uploading a malicious file. While Cisco has not observed active exploitation in the wild, a public proof-of-concept exploit code is available, significantly increasing the risk for unpatched systems.
The Identity Services Engine is a cornerstone for many enterprise networks, providing centralized control over user and device access while enforcing zero-trust security policies. The vulnerability is particularly concerning because it could allow an authenticated administrator to access data that should remain inaccessible, even to privileged accounts. Cisco emphasizes that any potential workarounds are temporary fixes and strongly recommends that customers upgrade to the fixed software releases to fully address the threat and prevent future exposure.
Affected administrators should immediately review their software versions. For ISE or ISE-PIC releases earlier than 3.2, a migration to a fixed release is necessary. Specific patched versions include 3.2 Patch 8, 3.3 Patch 8, and 3.4 Patch 4. Release 3.5 is not vulnerable. This urgent patching directive follows a pattern of serious vulnerabilities in Cisco’s security products. In a separate advisory, Cisco also addressed several IOS XE vulnerabilities related to the Snort 3 Detection Engine, though no public exploit code exists for those issues currently.
This latest flaw arrives on the heels of other severe Cisco vulnerabilities that have been actively weaponized. In November, threat actors exploited a maximum-severity Cisco ISE zero-day (CVE-2025-20337) to deploy custom malware, a flaw that could allow unauthenticated code execution or root access. Furthermore, in December, Cisco warned that a Chinese threat group known as UAT-9686 is exploiting an unpatched zero-day (CVE-2025-20393) in Cisco AsyncOS software, targeting email security appliances. For that ongoing threat, Cisco advises temporary mitigation through network segmentation, access restriction to trusted hosts, and the use of firewalls until a permanent patch is available.
The consecutive discovery of these critical vulnerabilities underscores the persistent targeting of network infrastructure by sophisticated adversaries. Organizations relying on Cisco security and access control products must prioritize prompt patch management and maintain vigilant monitoring of their administrative interfaces to defend against these escalating threats.
(Source: Bleeping Computer)
