**Cisco Patches Medium-Severity Flaws in ISE and Snort 3, Including Exploitable XML Vulnerability**
Cisco has released security updates to address three medium-severity vulnerabilities, including one with a public proof-of-concept (PoC) exploit. The most notable flaw, CVE-2026-20029 (CVSS 4.9), affects Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC), allowing authenticated attackers with administrative privileges to access sensitive files on the underlying OS.
The vulnerability stems from improper XML parsing in the web-based management interface. An attacker could exploit it by uploading a malicious file, potentially reading restricted system files. Bobby Gould of Trend Micro Zero Day Initiative reported the issue, which impacts:
- ISE/ISE-PIC versions prior to 3.2 (users must migrate to a fixed release)
- 3.2 (patch with 3.2 Patch 8)
- 3.3 (patch with 3.3 Patch 8)
- 3.4 (patch with 3.4 Patch 4)
- 3.5 (not vulnerable)
Cisco confirmed the availability of a PoC exploit but reported no active exploitation in the wild. No workarounds exist, making updates the only mitigation.
Additionally, Cisco patched two Snort 3-related flaws in its Secure Firewall Threat Defense (FTD) Software, IOS XE Software, and Meraki software:
- CVE-2026-20026 (CVSS 5.8): A denial-of-service (DoS) vulnerability in Snort 3’s DCE/RPC processing, allowing unauthenticated attackers to crash the detection engine.
- CVE-2026-20027 (CVSS 5.3): An information disclosure bug in the same component, enabling data leaks.
Guy Lederfein of Trend Micro reported these issues, which require Snort 3 to be configured for exploitation. Cisco has released fixes for all affected products.
Source: https://thehackernews.com/2026/01/cisco-patches-ise-security.html
Cisco cybersecurity rating report: https://www.rankiteo.com/company/cisco
"id": "CIS1767871927",
"linkid": "cisco",
"type": "Vulnerability",
"date": "1/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'industry': 'Technology/Networking',
'name': 'Cisco',
'type': 'Corporation'}],
'attack_vector': 'Remote',
'data_breach': {'sensitivity_of_data': 'High (arbitrary files from underlying '
'OS)',
'type_of_data_compromised': 'Sensitive information'},
'description': 'Cisco has released updates to address a medium-severity '
'security flaw in Identity Services Engine (ISE) and ISE '
'Passive Identity Connector (ISE-PIC) with a public '
'proof-of-concept (PoC) exploit. The vulnerability, tracked as '
'CVE-2026-20029 (CVSS score: 4.9), resides in the licensing '
'feature and could allow an authenticated, remote attacker '
'with administrative privileges to gain access to sensitive '
'information.',
'impact': {'data_compromised': 'Sensitive information',
'systems_affected': 'Cisco ISE and ISE-PIC underlying operating '
'system files'},
'investigation_status': 'Completed (patches released)',
'post_incident_analysis': {'corrective_actions': 'Fixed XML parsing logic in '
'updated releases',
'root_causes': 'Improper parsing of XML in the '
'web-based management interface'},
'recommendations': 'Users should update to the latest version of Cisco ISE '
'and ISE-PIC for adequate protection.',
'references': [{'source': 'Cisco Advisory'},
{'source': 'Trend Micro Zero Day Initiative'}],
'response': {'containment_measures': 'Released patches for affected versions',
'remediation_measures': 'Update to fixed releases (3.2 Patch 8, '
'3.3 Patch 8, 3.4 Patch 4, or migrate to '
'3.5)'},
'title': 'CVE-2026-20029: Cisco ISE and ISE-PIC XML Parsing Vulnerability',
'type': 'Information Disclosure',
'vulnerability_exploited': 'CVE-2026-20029'}