Cisco has released patches to fix a medium severity vulnerability in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that can be exploited using a public proof-of-concept (PoC). This flaw is tracked as CVE-2026-20029 with a CVSS 4.9 score.
The vulnerability lies within Cisco ISE's licensing component, and an attacker with administrative access and authentication could potentially exploit this vulnerability to obtain confidential data from the Operating System beneath Cisco ISE.
According to Cisco, the issue stems from improper XML parsing within the web-based management interface.
“An attacker could exploit this vulnerability by uploading a malicious file to the application,” Cisco said.
Successful exploitation allows attackers to read arbitrary system files that should remain inaccessible — even to administrators — potentially exposing credentials, configuration data, or internal system details.
Affected Versions
The vulnerability impacts the following releases:
1. Cisco ISE / ISE-PIC earlier than 3.2 – Migrate to a fixed release
2. Release 3.2 – Fixed in Patch 8
3. Release 3.3 – Fixed in Patch 8
4. Release 3.4 – Fixed in Patch 4
5. Release 3.5 – Not vulnerable
Cisco confirmed that no workarounds are available and acknowledged the existence of public PoC exploit code, though there is no evidence of active exploitation at this time.
Bobby Gould of the Trend Micro Zero Day Initiative (ZDI) was the source of the responsible disclosure regarding the concept of the vulnerability to be fixed in November 2026.
Cisco has also resolved two additional medium severity vulnerabilities impacting the Snort 3 Detection Engine, both of which are associated with DCE/RPC requests being improperly handled: CVE-2026-20026 (CVSS 5.8) - This Denial of Service vulnerability; and CVE-2026-20027 (CVSS 5.3) - This Information Disclosures vulnerability. These types of vulnerabilities could allow an unknown user's remote access to the nation’s Snort engine to Restart and expose sensitive information, thus compromising both availability and confidentiality.
Cisco Secure Firewall Threat Defense (FTD) with Snort 3; Cisco IOS XE Software; and Cisco Meraki are the products impacted by this notification.
The reason this matters is that Cisco’s infrastructure products are commonly used as targets by threat actors, and with all the published exploit codes currently available online, the barrier to abuse has been lowered significantly. Even medium severity vulnerabilities can create a high degree of impact by providing a gateway to the access of these devices through credential/breach escalation or lateral movement.
Organizations utilizing Cisco ISE (Identity Services Engine) and Snort-based products should implement the most current patches immediately and review their administrative access controls.
Source: The Hacker News
