• Home
  • cyber
  • Cisco: Critical Cisco ISE Vulnerability Enables Remote Code Execution Attacks
cyber Vulnerability

Cisco: Critical Cisco ISE Vulnerability Enables Remote Code Execution Attacks

Jun 17, 2026 2 min read
Cisco: Critical Cisco ISE Vulnerability Enables Remote Code Execution Attacks

Critical Cisco ISE Vulnerabilities Expose Networks to Remote Attacks

Cisco has disclosed two critical vulnerabilities in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC), which could allow remote attackers to execute arbitrary code or steal sensitive credentials. The flaws, published on June 17, 2026, carry a maximum CVSS score of 9.1 and affect deployments regardless of configuration.

CVE-2026-20181 (CVSS 9.1) stems from insufficient input validation in the ISE web interface, enabling an authenticated attacker with admin credentials to execute arbitrary commands as root via a crafted HTTP request. In single-node deployments, exploitation can also trigger a denial-of-service (DoS) condition, disrupting network access for unauthenticated endpoints. The flaw is classified as a path traversal (CWE-22) vulnerability.

CVE-2026-20190 (CVSS 8.6) affects ISE and ISE-PIC Release 3.4 and later, allowing an unauthenticated attacker to bypass authorization checks and extract sensitive data, including hashed credentials. This could facilitate credential-stuffing or lateral movement attacks.

Affected Versions & Fixes:

  • ISE 3.3: Patch 11 (CVE-2026-20181 only)
  • ISE 3.4: Patch 6 (both vulnerabilities)
  • ISE 3.5: Patch 4 (August 2026) and Patch 3 (CVE-2026-20190)
  • ISE-PIC 3.4: Patch 6 (last supported version)

Cisco has released patches for all affected versions, with a hot patch for ISE 3.5 available via the Cisco Technical Assistance Center (TAC). No workarounds exist, and organizations must apply updates immediately. The Cisco PSIRT reports no active exploitation or public proof-of-concept code at this time.

The vulnerabilities were reported by Jonathan Lein (TrendAI Research), Li Jiantao and Tevel Sho (STAR Labs SG), and Bobby Gould (TrendAI Zero Day Initiative). Given the potential for root-level access and credential theft, security teams are urged to prioritize patching.

Source: https://cyberpress.org/critical-cisco-ise-vulnerability/

Cisco TPRM report: https://www.rankiteo.com/company/cisco

"id": "cis1781792750",
"linkid": "cisco",
"type": "Vulnerability",
"date": "6/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'Networking and Cybersecurity',
                        'name': 'Cisco',
                        'type': 'Technology Company'}],
 'attack_vector': ['Web Interface', 'HTTP Request'],
 'data_breach': {'sensitivity_of_data': 'High',
                 'type_of_data_compromised': 'Hashed credentials, sensitive '
                                             'data'},
 'date_publicly_disclosed': '2026-06-17',
 'description': 'Cisco has disclosed two critical vulnerabilities in its '
                'Identity Services Engine (ISE) and ISE Passive Identity '
                'Connector (ISE-PIC), which could allow remote attackers to '
                'execute arbitrary code or steal sensitive credentials. The '
                'flaws carry a maximum CVSS score of 9.1 and affect '
                'deployments regardless of configuration.',
 'impact': {'data_compromised': 'Sensitive credentials, including hashed '
                                'credentials',
            'downtime': 'Denial-of-service (DoS) condition in single-node '
                        'deployments',
            'identity_theft_risk': 'High (due to credential theft)',
            'operational_impact': 'Disruption of network access for '
                                  'unauthenticated endpoints',
            'systems_affected': ['Cisco Identity Services Engine (ISE)',
                                 'ISE Passive Identity Connector (ISE-PIC)']},
 'investigation_status': 'Vulnerabilities disclosed; patches released',
 'post_incident_analysis': {'corrective_actions': ['Apply patches',
                                                   'Monitor for exploitation '
                                                   'attempts'],
                            'root_causes': ['Insufficient input validation in '
                                            'ISE web interface '
                                            '(CVE-2026-20181)',
                                            'Authorization bypass in ISE and '
                                            'ISE-PIC (CVE-2026-20190)']},
 'recommendations': 'Prioritize patching; apply updates immediately as no '
                    'workarounds exist.',
 'references': [{'source': 'Cisco Security Advisory'}],
 'response': {'containment_measures': 'Patches released for all affected '
                                      'versions',
              'remediation_measures': 'Apply patches immediately; hot patch '
                                      'available via Cisco TAC for ISE 3.5'},
 'title': 'Critical Cisco ISE Vulnerabilities Expose Networks to Remote '
          'Attacks',
 'type': ['Vulnerability Exploitation',
          'Remote Code Execution',
          'Credential Theft'],
 'vulnerability_exploited': ['CVE-2026-20181', 'CVE-2026-20190']}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.