- CVE-2026-20029 in Cisco ISE/ISE-PIC allows arbitrary file reads via malicious XML payloads
- The exploit requires valid administrator credentials; there are no workarounds: the only solution is to apply patches
- PoC exploitation available; Past ISE failures show attackers actively targeting enterprise network access controls
Cisco has patched a medium severity vulnerability in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC), for which a proof-of-concept (PoC) exploit exists.
In a security advisory released by Cisco, the networking giant said the bug was due to improper parsing of the XML processed by the web-based management interface of the affected tools.
The bug, tracked as CVE-2026-20029 and assigned a severity score of 4.9/10 (median), allows an unauthenticated, remote attacker with administrative privileges to gain access to sensitive information.
Patches and solutions
By uploading a malicious file to the application, an attacker could be allowed to read arbitrary files from the underlying operating system, accessing sensitive and private information. To exploit the vulnerability, the threat actor must have valid administrator credentials.
There are no solutions for the vulnerability, Cisco warned, and the only way to address the problem is to patch applications. Different versions have different patches, so make sure you apply the correct one:
Pre-3.2: Migrate to a fixed version
3.2- 3.2 Patch 8
3.3- 3.3 Patch 8
3.4- 3.4 Patch 4
3.5 – Not vulnerable
While the networking giant said it saw no evidence that the vulnerability was being actively exploited in the wild, it did say that proof-of-concept code is available. In other words, it’s only a matter of time before we see an organization lose sensitive files due to this bug.
Cisco Identity Services Engine (ISE) is most commonly used in medium and large enterprise environments where organizations need centralized control over who and what can access their networks. As such, it is a popular target among cybercriminals.
In November 2025, “sophisticated” threat actors were found to be using a 10/10 zero-day in ISE to deploy custom backdoor malware.
In June 2025, Cisco fixed three bugs in ISE and the Customer Collaboration Platform, including a critical severity issue with a public proof-of-concept exploit.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
