Cisco has released security updates to fix a medium-severity vulnerability in its Identity Services Engine (Cisco ISE) and ISE Passive Identity Connector (ISE-PIC) products after a public proof-of-concept (PoC) exploit became available. The issue could allow attackers with administrative access to read sensitive files from the underlying operating system.
The vulnerability highlights ongoing risks in widely used enterprise identity and access management solutions, especially when flaws are disclosed publicly. Cisco customers are strongly advised to apply the latest patches to reduce exposure.
The flaw is tracked as CVE-2026-20029 and has a CVSS score of 4.9, placing it in the medium-severity category. Despite the moderate score, the availability of public exploit code increases the overall risk, particularly in environments where administrative accounts may already be compromised.
According to Cisco’s official security advisory, the vulnerability exists in the licensing feature of Cisco ISE and ISE-PIC. The root cause is improper parsing of XML files processed by the web-based management interface.
Cisco explained that an attacker could exploit the issue by uploading a specially crafted malicious file to the application. While the attacker must already have valid administrative credentials, successful exploitation could allow them to read arbitrary files from the operating system.
Importantly, Cisco noted that these files should be restricted even for administrators, making this a violation of expected access controls and privilege boundaries.
Cisco ISE is widely used by enterprises to manage network access control (NAC), identity authentication, and policy enforcement across corporate networks. Any weakness in such a critical security platform can have serious implications.
If exploited, the vulnerability could allow attackers to access:
-
Configuration files
-
System-level information
-
Sensitive operational data
Although Cisco has stated that there is no evidence of active exploitation in the wild, the presence of a public PoC exploit significantly lowers the barrier for attackers. In real-world scenarios, threat actors often chain such vulnerabilities with stolen or reused credentials to escalate attacks.
Cisco confirmed that multiple versions of ISE and ISE-PIC are affected. The following breakdown shows which releases are vulnerable and how to remediate them:
-
Cisco ISE or ISE-PIC earlier than Release 3.2
→ Upgrade to a fixed release -
Cisco ISE or ISE-PIC Release 3.2
→ Apply Patch 8 -
Cisco ISE or ISE-PIC Release 3.3
→ Apply Patch 8 -
Cisco ISE or ISE-PIC Release 3.4
→ Apply Patch 4 -
Cisco ISE or ISE-PIC Release 3.5
→ Not vulnerable
Cisco has clearly stated that there are no workarounds available. Applying the official patches is the only effective mitigation.
The vulnerability was discovered and responsibly reported by Bobby Gould of the Trend Micro Zero Day Initiative (ZDI). Cisco credited the researcher for identifying the flaw and coordinating disclosure.
Responsible reporting plays a key role in helping vendors address security issues before they are widely exploited, although the public release of PoC code increases urgency for patching.
Alongside the ISE update, Cisco also released fixes for two additional medium-severity vulnerabilities affecting the Snort 3 Detection Engine. These flaws are related to how Snort processes Distributed Computing Environment Remote Procedure Call (DCE/RPC) requests.
The vulnerabilities include:
CVE-2026-20026 (CVSS 5.8)
→ A denial-of-service vulnerability that could cause Snort 3 to restart, impacting availabilityCVE-2026-20027 (CVSS 5.3)
→ An information disclosure vulnerability that could leak sensitive data
These issues could be exploited by an unauthenticated remote attacker, making them particularly concerning in exposed environments.
Trend Micro researcher Guy Lederfein was credited with discovering and reporting these Snort-related vulnerabilities.
The Snort vulnerabilities impact several widely deployed Cisco products, including:
Cisco Secure Firewall Threat Defense (FTD), when configured with Snort 3
Cisco IOS XE Software
Cisco Meraki software
Organizations using these platforms should verify their configurations and apply updates promptly to avoid service disruption or data exposure.
Cisco products are frequently targeted by cybercriminals and nation-state threat actors due to their widespread use in enterprise and government networks. Even medium-severity vulnerabilities can become high-impact when combined with other weaknesses, such as poor credential hygiene or exposed management interfaces.
Security teams should treat this update as a reminder to:
Regularly audit administrative access
Restrict management interfaces to trusted networks
Monitor for unusual file access or configuration changes
Apply vendor patches as soon as they are released
While Cisco reports no active exploitation of CVE-2026-20029, the existence of a public PoC exploit makes immediate patching essential. Organizations running Cisco ISE, ISE-PIC, or Snort-enabled Cisco products should review their environments and update to the latest secure versions without delay.
Interesting Article : European Space Agency Hit by Cyber Breach & 200GB Data Leak
Pingback: Trend Micro Patches Apex Central 9.8 Rated RCE Flaw: CVE-2025-69258