Cisco has issued urgent security updates to address a medium-severity vulnerability in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC). The flaw, identified as CVE-2026-20029, carries a CVSS score of 4.9 and poses a risk of sensitive information disclosure for organizations leveraging these network security solutions. The development comes with the concerning detail that a public proof-of-concept (PoC) exploit is already available, increasing the potential for malicious actors to target affected systems.
The vulnerability stems from improper parsing of XML data within the web-based management interface of both Cisco ISE and ISE-PIC. According to Cisco’s advisory, an authenticated remote attacker with administrative privileges could exploit this by uploading a malicious file. Successful exploitation could grant the attacker the ability to read arbitrary files from the underlying operating system, data that should remain inaccessible even to administrators.
Cisco ISE Vulnerability Exposes Sensitive System Files
The discovery and reporting of CVE-2026-20029 are credited to Bobby Gould of Trend Micro Zero Day Initiative. The vulnerability impacts several versions of Cisco ISE and ISE-PIC. Cisco recommends migrating to a fixed release for versions earlier than 3.2. For Release 3.2, users should upgrade to Patch 8, while Release 3.3 requires Patch 8. Release 3.4 necessitates Patch 4. Notably, Cisco ISE or ISE-PIC Release 3.5 is not affected by this particular flaw.
Cisco has stated that there are no available workarounds to mitigate this vulnerability. The company acknowledged the existence of a public proof-of-concept exploit code but indicated that there are currently no indications of the vulnerability being exploited in the wild. However, the presence of a public exploit code significantly elevates the risk, urging prompt action from affected users.
Additional Network Security Fixes by Cisco
In addition to the ISE vulnerability, Cisco simultaneously released fixes for two other medium-severity bugs. These issues are related to the processing of Distributed Computing Environment Remote Procedure Call (DCE/RPC) requests. They could potentially allow an unauthenticated, remote attacker to cause the Snort 3 Detection Engine to leak sensitive information or to restart, consequently impacting the availability of network services.
Trend Micro researcher Guy Lederfein is acknowledged for reporting these additional flaws. The first, CVE-2026-20026, carries a CVSS score of 5.8 and is classified as a Snort 3 DCE/RPC denial-of-service vulnerability. The second, CVE-2026-20027, with a CVSS score of 5.3, is an information disclosure vulnerability also related to Snort 3 DCE/RPC processing. These vulnerabilities affect a range of Cisco products, including Cisco Secure Firewall Threat Defense (FTD) Software when Snort 3 is configured, Cisco IOS XE Software, and Cisco Meraki software.
Given the frequent targeting of Cisco products by malicious actors, it is paramount for users to update their systems to the latest available versions. This practice is essential for maintaining adequate protection against emerging cyber threats and ensuring the integrity and confidentiality of their network infrastructure. Organizations should prioritize the remediation of CVE-2026-20029 due to the availability of a public exploit.