Cisco ISE Flaws Enable Authenticated Remote Code Execution and Root Escalation
Cisco disclosed two high-severity vulnerabilities in Cisco Identity Services Engine (ISE), tracked as CVE-2026-20180 and CVE-2026-20186, that allow an authenticated attacker to execute arbitrary commands on the underlying operating system by sending crafted HTTP requests. Both issues require at least Read Only Admin credentials and stem from insufficient validation of user-supplied input; Cisco mapped the flaws to CWE-22 and CWE-77 respectively. Cisco assigned both vulnerabilities the same CVSS v3.1 score vector: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.
Successful exploitation can provide user-level operating system access and may allow attackers to escalate privileges to root. Cisco warned that in single-node ISE deployments, exploitation could also make the affected node unavailable, creating a denial-of-service condition that prevents unauthenticated endpoints from accessing the network until the system is restored.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Cisco patches critical Webex SSO impersonation flaw
Cisco released fixes for a critical Webex Services vulnerability caused by improper certificate validation in SSO integration that could let an unauthenticated remote attacker impersonate any user. The company said it had no evidence of in-the-wild exploitation and advised Webex SSO customers to upload a new identity provider SAML certificate in Control Hub.
Cisco discloses CVE-2026-20180 and CVE-2026-20186 in Identity Services Engine
Cisco published an advisory for two authenticated remote code execution vulnerabilities in Cisco Identity Services Engine (ISE), tracked as CVE-2026-20180 and CVE-2026-20186. Both flaws require at least Read Only Admin credentials and can allow arbitrary command execution on the underlying operating system, potentially leading to root privilege escalation and denial of service in single-node deployments.
Cisco adds CVE-2026-20147 for Cisco ISE and ISE-PIC RCE
Cisco disclosed CVE-2026-20147, an authenticated remote code execution flaw in Cisco Identity Services Engine and Cisco ISE Passive Identity Connector caused by insufficient validation of user-supplied input in crafted HTTP requests. Successful exploitation can yield user-level OS command execution, possible root privilege escalation, and in single-node ISE deployments may cause a denial-of-service condition.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Cisco Patches Four Critical Identity Services, Webex Flaws Enabling Code Execution
thehackernews.com
Open sourceCVE-2026-20180 - Cisco Identity Services Engine Multiple Remote Code Execution Vulnerability
cvefeed.io
Open sourceCVE-2026-20186 - Cisco Identity Services Engine Multiple Authenticated Remote Code Execution Vulnerability
cvefeed.io
Open sourceCVE-2026-20147 - Cisco Identity Services Engine Remote Code Execution Vulnerability
cvefeed.io
Open sourceCisco Identity Services Engine Remote Code Execution and Path Traversal Vulnerabilities
sec.cloudapps.cisco.com
Open sourceCisco Identity Services Engine Remote Code Execution Vulnerabilities
sec.cloudapps.cisco.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cisco ISE Flaws Expose Authentication Bypass, Root RCE, and Path Traversal
Cisco disclosed multiple vulnerabilities in **Identity Services Engine (ISE)** and **ISE-PIC** that could let attackers compromise deployments through **authentication bypass**, **unauthenticated remote code execution**, and **path traversal**. One of the issues, tracked as **`CVE-2025-20281`**, was described in public research as allowing unauthenticated attackers to achieve **remote code execution as root** because of insufficient input validation in a specific API, significantly raising the risk to exposed management infrastructure. Separate Cisco advisories also detailed additional **authentication bypass** weaknesses and a combination of **remote code execution and path traversal** flaws affecting the same product line, indicating broad attack surface concerns in enterprise identity and access control environments. The publication of a public GitHub checker for `CVE-2025-20281` increases the likelihood of rapid defender validation and potential attacker reconnaissance, making prompt patching, exposure review, and monitoring of Cisco ISE systems a priority for security teams.
May 25, 2026
Critical Cisco ISE Flaws Enable Authenticated RCE and File Exposure
Cisco disclosed two vulnerabilities in **Identity Services Engine (ISE)** and **ISE Passive Identity Connector (ISE-PIC)** that can allow authenticated attackers to execute malicious code and access sensitive files. The most severe flaw, **`CVE-2026-20147`** with a **CVSS 9.9**, is an authenticated remote code execution issue that can provide user-level operating system access and may be escalated to **root**. A second flaw, **`CVE-2026-20148`** with a **CVSS 4.9**, is an authenticated path traversal vulnerability that can expose files from the underlying operating system.
Apr 20, 2026
Cisco ISE Flaws Expose Networks to RCE and Sensitive Data Disclosure
Cisco disclosed two vulnerabilities in **Cisco Identity Services Engine (ISE)** and **Cisco ISE Passive Identity Connector (ISE-PIC)**, including the critical remote code execution flaw `CVE-2026-20181` and the high-severity information disclosure flaw `CVE-2026-20190`. Cisco said `CVE-2026-20181` carries a CVSS score of **9.1** and can let an authenticated attacker with valid administrative credentials execute arbitrary commands, obtain user-level access, potentially escalate privileges to root, and in single-node deployments trigger a denial-of-service condition. The second flaw, rated **7.5**, can allow an unauthenticated attacker to access sensitive information such as hashed credentials because of improper authorization checks. The affected software includes all releases prior to **3.3**, versions before **3.3 Patch 11** in release 3.3, versions before **3.4 Patch 6** in release 3.4, and versions before **3.5 Patch 4** in release 3.5, according to the Canadian Centre for Cyber Security notice summarizing Cisco’s advisories. Cisco said the vulnerabilities are independent, no workarounds are available, and no confirmed exploitation had been reported at disclosure time. Authorities urged administrators to review Cisco’s advisories and apply the available updates immediately.
Jun 21, 2026