Published on April 16, 2026
Critical Cisco ISE Flaws Let Remote Attackers Execute Malicious Code
Updated on Apr 18, 2026
Detail
Cisco has released security updates addressing multiple critical vulnerabilities affecting Identity Services Engine (ISE), ISE Passive Identity Connector (ISE-PIC), and Webex Services. These vulnerabilities could allow attackers to execute arbitrary code, impersonate legitimate users, or gain unauthorized control over affected systems.
The issues primarily stem from insufficient validation of user-supplied input in Cisco ISE HTTP request handling and improper certificate validation in Webex Single Sign-On (SSO) integration. Successful exploitation may result in system compromise, privilege escalation, or unauthorized access to enterprise environments.
In certain cases, attackers may be able to escalate from limited administrative access to full operating system control, including root-level privileges.
Cisco has confirmed no evidence of active exploitation in the wild at the time of disclosure but strongly recommends immediate patching due to the severity of the vulnerabilities.
| CVE ID | Summary | CVSS Score |
| CVE-2026-20184 | Improper certificate validation in Webex SSO integration with Control Hub could allow an unauthenticated remote attacker to impersonate any user and gain unauthorized access to Cisco Webex services. | 9.8 (Critical) |
| CVE-2026-20180 | Insufficient validation of user-supplied input in Cisco ISE allows an authenticated attacker with read-only administrative access to execute arbitrary commands on the underlying operating system via crafted HTTP requests. | 9.9 (Critical) |
| CVE-2026-20186 | Similar input validation weaknesses in Cisco ISE could allow authenticated attackers to execute arbitrary system-level commands through specially crafted HTTP requests, potentially leading to full system compromise. | 9.9 (Critical) |
Affected Products
The following Cisco products are impacted:
- Cisco Webex Services (SSO integration with Control Hub)
- Cisco Identity Services Engine (ISE)
- Cisco ISE Passive Identity Connector (ISE-PIC)
- Multiple supported Cisco ISE releases prior to fixed patches
Recommendation
Cisco advises organizations to apply the latest available patches immediately and ensure systems are running supported fixed versions.
- Upgrade Cisco ISE and ISE-PIC to the latest patched versions provided by Cisco:
– CVE-2026-20184: No patch action is required as it is cloud-based. However, organizations using SSO are advised to upload a new Identity Provider (IdP) SAML certificate in Cisco Control Hub.
– CVE-2026-20180 & CVE-2026-20186:
a. Cisco ISE 3.2 → Patch 8
b. Cisco ISE 3.3 → Patch 8
c. Cisco ISE 3.4 → Patch 4
d. Cisco ISE 3.5 → Not affected
e. Versions earlier than 3.2 require migration to a fixed release - Ensure Webex SSO identity provider (IdP) SAML certificates are properly updated and rotated.
- Restrict administrative access to Cisco ISE management interfaces.
Source
https://thehackernews.com/2026/04/cisco-patches-four-critical-identity.html
Initial Release
Severity
Critical
Detail
Cisco has released a security advisory addressing two vulnerabilities affecting its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC).
These products are widely used for network access control and policy management within enterprise environments, making the impact of these vulnerabilities significant.
The most critical flaw could allow an authenticated remote attacker to execute malicious code and compromise affected systems. Both vulnerabilities are located within the web-based management interface and can be exploited independently.
| CVE ID | Summary | CVSS Score |
| CVE-2026-20147 | This remote code execution vulnerability stems from insufficient validation of user-supplied input. Threat actors can exploit this by sending maliciously crafted HTTP requests to an affected device. A successful attack grants user-level access to the underlying operating system, which can then be trivially elevated to root privileges. Furthermore, in single-node ISE deployments, this exploit can trigger a complete denial of service (DoS), locking unauthenticated endpoints out of the network until the node is fully restored. | 9.9 (Critical) |
| CVE-2026-20148 | This path traversal flaw is caused by improper input validation. By sending specific HTTP requests, authenticated attackers can bypass directory restrictions to read arbitrary, sensitive files stored on the underlying operating system. | 4.9 (Medium) |
According to Cisco, exploitation requires valid administrative credentials; however, the potential impact remains severe due to the ability to achieve system-level access.
At the time of disclosure, there is no evidence of active exploitation or publicly available proof-of-concept code. Despite this, the high severity of the vulnerabilities indicates a strong likelihood of future exploitation.
Affected Products
Affected products include:
- Cisco Identity Services Engine (ISE)
- Cisco Identity Services Engine Passive Identity Connector (ISE-PIC)
Recommendation
Cisco has confirmed that there are currently no available workarounds or temporary mitigations to prevent exploitation.
Organizations must apply the official software updates immediately to secure their network environments.
Organizations should take the following actions to mitigate the risk associated with these vulnerabilities:
- Deployments running version 3.1 must upgrade to 3.1 Patch 11.
- Environments using version 3.2 should apply 3.2 Patch 10.
- Systems operating on version 3.3 are advised to install 3.3 Patch 11.
- Administrators on version 3.4 need to update to 3.4 Patch 6.
- Networks utilizing version 3.5 must be updated to 3.5 Patch 3.
- Legacy versions prior to 3.1 require an immediate migration to a supported, fixed release.