Cisco has disclosed two critical vulnerabilities in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) products that could allow attackers to remotely execute malicious code and access sensitive enterprise data. Published under advisory ID cisco-sa-ise-multi-G5WP8vv on June 17, 2026, the flaws carry a CVSS score of 9.1 and affect all deployment configurations of the affected products.
Why Cisco ISE Matters to Enterprise Security
Cisco Identity Services Engine is a cornerstone of enterprise network access control (NAC), handling authentication and authorization for users, devices, and endpoints across corporate networks. It enforces policies that determine who can access the network and what resources they can reach — making it one of the most privileged and critical components in any enterprise security architecture. A compromise of ISE can enable attackers to subvert network access controls, facilitating lateral movement and escalation throughout the target environment.
CVE-2026-20181: Critical Remote Code Execution
The most severe flaw, CVE-2026-20181, is a Remote Code Execution (RCE) vulnerability caused by improper validation of user-supplied input. An authenticated attacker with administrative privileges can exploit the flaw by sending a specially crafted HTTP request to the affected ISE system.
Successful exploitation allows the attacker to:
- Execute arbitrary commands on the underlying operating system
- Escalate from user-level access to root privileges, gaining full control of the ISE appliance
- In single-node deployments, trigger a denial-of-service condition that prevents new endpoints from authenticating to the network until the system is manually restored
The denial-of-service impact is particularly dangerous in environments where ISE is the sole authentication gateway, as it could lock legitimate users and devices out of the network during an incident.
CVE-2026-20190: Unauthenticated Information Disclosure
The second vulnerability, CVE-2026-20190, is an information disclosure flaw caused by improper authorization checks. Unlike the RCE issue, this vulnerability can be exploited by an unauthenticated remote attacker — requiring no credentials whatsoever.
By sending crafted requests to the ISE management interface, attackers can access sensitive information stored on the device, including hashed credentials. These extracted credential hashes could then be leveraged in offline cracking attacks or used for pass-the-hash attacks to enable lateral movement across the enterprise network.
Scope and Affected Versions
Cisco confirmed that all versions of ISE and ISE-PIC are affected, though specific vulnerability exposure varies by release. The vulnerabilities were reported by security researchers from TrendAI, STAR Labs, and the Zero Day Initiative — highlighting coordinated industry efforts in responsible disclosure.
Fixed versions are available in:
- ISE 3.3 Patch 11
- ISE 3.4 Patch 6
- ISE 3.5 Patch 4 (planned for August 2026)
Earlier versions must be migrated to supported releases. No workarounds are available, making patching the only effective mitigation.
Exploitation Status and Urgency
Cisco’s Product Security Incident Response Team (PSIRT) stated that there is currently no evidence of active exploitation in the wild. However, given the critical CVSS score of 9.1 and the ease of exploitation — particularly the unauthenticated information disclosure vector — organizations should treat this as a high-priority patching event.
Recommended Actions
Organizations using Cisco ISE should immediately:
- Apply the available patches — upgrade to ISE 3.3 Patch 11 or ISE 3.4 Patch 6 as soon as possible
- Restrict administrative access — limit ISE management interface access to trusted, dedicated management networks
- Monitor logs — review logs for suspicious HTTP requests to the ISE management plane
- Review privilege escalation activity — audit authentication logs for unusual administrative account behavior
- Segment ISE appliances — ensure ISE nodes are not directly reachable from untrusted network segments
These vulnerabilities reinforce the critical importance of securing identity infrastructure. When network access control systems are compromised, the blast radius can extend to every device and user on the enterprise network, making rapid response essential.