- CVE-2026-20029 in Cisco ISE/ISE-PIC allows arbitrary file reading via malicious XML uploads
- Exploitation requires valid admin credentials; There are no workarounds – patching is the only fix
- PoC exploit available; past ISE failures show that attackers are actively targeting corporate network access control
Cisco has addressed a medium severity vulnerability in the Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) for which there is a proof-of-concept (PoC) exploit.
In a security advisory released by Cisco, the networking giant said the flaw was due to improper parsing of XML processed by the web-based management interface of the affected tools.
The flaw, tracked as CVE-2026-20029 and assigned a severity score of 4.9/10 (medium), allows an unauthorized remote attacker with administrative privileges to gain access to sensitive information.
Patches and workarounds
By uploading a malicious file to the application, an attacker may be allowed to read arbitrary files from the underlying operating system and gain access to sensitive and private information. To exploit the vulnerability, the threat actor must have valid administrator credentials.
There are no workarounds for the vulnerability, Cisco warned, and the only way to fix the problem is to patch the applications. Different versions have different patches, so be sure to apply the correct one:
Earlier than 3.2 – Migrate to a stable release
3.2- 3.2 Patch 8
3.3- 3.3 Patch 8
3.4- 3.4 Patch 4
3.5 – Not Vulnerable
While the networking giant said it did not see evidence that the vulnerability was being actively exploited in the wild, it said proof-of-concept code is available. In other words – it’s only a matter of time before we see an organization lose sensitive files through this bug.
Cisco Identity Services Engine (ISE) is mostly used in medium and large enterprise environments where organizations need centralized control over who and what can access their network. As such, it is a popular target among cybercriminals.
In November 2025, it was found that “sophisticated” threat actors used a 10/10 zero-day in ISE to deploy custom backdoor malware.
In June 2025, Cisco fixed three bugs in the ISE and Customers Collaboration Platform, including a critical severity issue with a public proof-of-concept exploit.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
