Cisco Systems has identified a vulnerability in its Identity Services Engine (ISE), a network access control platform. This flaw could potentially allow an attacker to access sensitive information that even system administrators cannot normally view. A patch and credential rotation are necessary to correct the issue.
According to Paddy Harrington, a senior analyst at Forrester Research, while this vulnerability requires the attacker to have administrative privileges to exploit it, organizations using Cisco ISE should not underestimate the risk. He advised security leaders to take proactive measures to mitigate the impact of this flaw.
Before applying the patch, organizations should consider the following actions:
- Rotate ISE credentials for approved users.
- Limit access only to individuals who truly need it.
- Reduce the number of devices with access to the ISE server.
- Apply the patch as soon as the system can be taken offline.
The vulnerability is documented as CVE-2026-20029 and involves issues with the licensing features of ISE and the ISE Passive Identity Connector (ISE-PIC). Cisco has described this issue as having medium criticality with a CVSS score of 4.9, resulting from improper XML parsing by the ISE’s web-based management interface.
Johannes Ullrich from the SANS Institute explained that this vulnerability likely aligns with XML External Entity (XXE) vulnerabilities. This occurs when an XML application allows the parsing of external entities, which can include sensitive information if improperly handled. An attacker could potentially read confidential configuration files and user credentials.
Cisco’s advisory states that to exploit this vulnerability, an attacker would need to upload a compromised file to the application. Although proof-of-concept exploit code has been made available, Cisco has not reported any confirmed malicious use thus far.
As noted by Harrington, getting hold of administrative credentials can often be easier than expected, especially since numerous systems still operate under default credentials—particularly those considered safe behind a firewall.
For further details, you can check the official Cisco security advisory.
