Cisco has released updates that address medium-severity security flaws in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) using public proof-of-concept (PoC) exploits.
This vulnerability, tracked as CVE-2026-20029 (CVSS score: 4.9), exists in the licensing feature and could allow an authenticated, remote attacker with administrator privileges to access sensitive information.
“This vulnerability is due to improper parsing of XML processed by the Cisco ISE and Cisco ISE-PIC web-based management interfaces,” Cisco said in an advisory Wednesday. “An attacker could exploit this vulnerability by uploading a malicious file to the application.”
Successful exploitation of this flaw could allow an attacker with valid administrator credentials to read arbitrary files from the underlying operating system, which the company says should be off-limits even to administrators.
The flaw was discovered and reported by Bobby Gould of the Trend Micro Zero Day Initiative. Affects the following versions:
- Cisco ISE or ISE-PIC Releases Prior to Release 3.2 – Migration to Fixed Release
- Cisco ISE or ISE-PIC Release 3.2-3.2 Patch 8
- Cisco ISE or ISE-PIC Release 3.3 to 3.3 Patch 8
- Cisco ISE or ISE-PIC Release 3.4-3.4 Patch 4
- Cisco ISE or ISE-PIC Release 3.5 – Not Vulnerable
Cisco said there are no workarounds to address this flaw, adding that it is aware that PoC exploit code is available. There is no evidence that it has been exploited in the wild.
At the same time, the network equipment company also shipped fixes for two other medium-severity bugs resulting from the handling of remote procedure call (DCE/RPC) requests in distributed computing environments. These bugs could allow an unauthenticated, remote attacker to leak sensitive information or cause the Snort 3 detection engine to restart, impacting availability.
Trend Micro researcher Guy Lederfein confirmed that he reported this flaw. Here are the details of the problem:
- CVE-2026-20026 (CVSS Score: 5.8) – Snort 3 DCE/RPC Denial of Service Vulnerability
- CVE-2026-20027 (CVSS score: 5.3) – Snort 3 DCE/RPC information disclosure vulnerability
These affect many Cisco products.
- Cisco Secure Firewall Threat Defense (FTD) software (if Snort 3 is configured)
- Cisco IOS XE Software
- Cisco Meraki Software
Vulnerabilities in Cisco products are frequently targeted by malicious attackers, so it is important that users update to the latest versions for proper protection.
