Bg ShapeBg Shape
THREAT INTELLIGENCE

New Vulnerabilities Patched in Cisco Products

Affected Environment

Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC), all releases regardless of device configuration. Note: Cisco ISE-PIC has reached end-of-sale; release 3.4 is the last supported release.

Threat Overview

Cisco disclosed two vulnerabilities affecting Cisco ISE and ISE-PIC. The vulnerabilities could allow a remote attacker to achieve remote code execution or conduct information disclosure attacks. Successful exploitation of the RCE vulnerability could allow an authenticated remote attacker with administrative credentials to execute arbitrary commands on the underlying operating system, elevate privileges to root, and in single-node deployments trigger a denial of service condition. The information disclosure vulnerability allows unauthenticated attackers to access sensitive data including hashed credentials.

Exposure Timeline

Advisories issued 22 June 2026. No active exploitation confirmed at time of publication. Cisco has indicated no workarounds are available for either vulnerability. The recommended remediation window is ten working days.

Attack Surface

For CVE-2026-20181, the attacker must have valid administrative credentials. For CVE-2026-20190, the attack is unauthenticated and accessible via the network to any attacker who can send crafted traffic to the affected device.

Technical Root Cause

CVE-2026-20181 (CVSS 9.1) - A vulnerability in Cisco ISE and ISE-PIC due to insufficient validation of user-supplied input allows an authenticated remote attacker with valid administrative credentials to execute arbitrary commands on the underlying operating system via a crafted HTTP request. The attacker can initially obtain user-level OS access and then elevate privileges to root. In single-node deployments, successful exploitation can cause the ISE node to become unavailable, resulting in a denial of service condition and preventing unauthenticated endpoints from accessing the network until the node is restored.

CVE-2026-20190 (CVSS 7.5) - A vulnerability in Cisco ISE and ISE-PIC due to improper authorization checks when a resource is accessed allows an unauthenticated remote attacker to view sensitive information including hashed credentials by sending crafted traffic to an affected device. The hashed credentials obtained could be used to mount further attacks.

Exploitation Pathway

For CVE-2026-20181, an authenticated administrator sends a crafted HTTP request to the ISE interface, triggering the command injection and escalating to root. In single-node environments this also causes a DoS. For CVE-2026-20190, an unauthenticated attacker sends crafted network traffic to the ISE device and retrieves sensitive configuration data and hashed credentials without any authentication required.

Operational Impact

CVE-2026-20181 enables full operating system control of the ISE appliance from root, and in single-node deployments causes a denial of service that prevents endpoint network authentication until the node is restored. CVE-2026-20190 exposes hashed credentials that could be cracked offline and used in subsequent attacks against network infrastructure, user accounts, or downstream systems.

Strategic Impact

Risk is rated Critical across all organisation sizes in both government and commercial sectors. Cisco ISE is a core network access control platform; compromise gives attackers the ability to manipulate network policy, revoke or grant access, and operate invisibly within trusted authentication infrastructure. The unauthenticated nature of the information disclosure vulnerability significantly lowers the barrier to initial reconnaissance.

Required Mitigation

Cisco has confirmed no workarounds are available. Upgrade all affected ISE and ISE-PIC instances to the following fixed releases as soon as operationally feasible:

ISE Release 3.3: CVE-2026-20181 fixed in 3.3 Patch 11. CVE-2026-20190 is not present in 3.3. Releases earlier than 3.3 must migrate to a fixed release.

ISE Release 3.4: Both CVEs fixed in 3.4 Patch 6. Note: 3.4 is the last supported release for ISE-PIC.

ISE Release 3.5: CVE-2026-20181 fixed in 3.5 Patch 4 (August 2026) or available as a hot patch on request. CVE-2026-20190 fixed in 3.5 Patch 3.

Incident Response Guidance

Implement the Principle of Least Privilege by limiting administrative access to ISE and regularly reviewing user accounts, roles, and permissions. Monitor system and authentication logs for signs of unauthorised privilege escalation, suspicious administrative activity, or unexpected configuration changes. Forward all logs to a centralised SIEM for correlation. Use vulnerability management tooling to identify affected instances and verify remediation status across the full estate. Ensure network and endpoint monitoring solutions are current to detect exploitation attempts targeting ISE infrastructure.

References

Cisco Security Advisory: cisco-sa-ise-multi-G5WP8vv. CVEs: CVE-2026-20181, CVE-2026-20190.

Download the Full Report

Explore More of the Latest Threat Intelligence

Trusted by clients worldwide

Logo
Logo
Logo
Logo
Logo
Logo

Your 24/7 Security Partner

Led by human expertise and powered by the VisionX platform, we provide you with a 24/7 unbeatable Managed Detection & Response capability giving you transparent and consolidated security solutions.

Awards Image
Awards Image
Awards Image
Awards Image
Awards Image
Awards Image