OTPulse Weekly Briefing - April 20, 2026

The lead story this week is Cisco Identity Services Engine. Two new 9.9 advisories dropped on April 15, both remote code execution, one authenticated and one requiring only a low-privilege admin login. Those would be a story on their own, but the reason I'm writing a briefing about it is that a third ISE advisory from last June is still out there. CVSS 10.0, unauthenticated, and Cisco's own PSIRT said in July 2025 they had seen it exploited in the wild. Nine months later, if you run ISE 3.3 or 3.4 and haven't applied the summer 2025 patches, you're the target.

ISE is not an OT product, but at a mid-size water authority or municipal utility, it's often the RADIUS server and NAC engine that sits behind the Catalyst and IE-series switches on both the IT and the OT VLAN. If that sounds like your stack, this is the week to check your version.

Beyond ISE, Microsoft's Patch Tuesday included a CVSS 9.8 unauthenticated RCE in Windows Internet Key Exchange. Siemens shipped an 8.8 privilege escalation in RUGGEDCOM CROSSBOW, the product utilities actually deploy for secure access to substation IEDs. Schneider published a 9.0 on Modicon Networking Managed Switches with a public PoC. And CERT@VDE landed a 9.1 on Helmholz myREX24V2 remote access gateways, which show up in a lot of small water and manufacturing sites.

1. Cisco ISE - RCE cluster | Act Now | Two new 9.9 RCEs published April 15, plus a still-exploited 10.0 unauthenticated RCE from June 2025. Patch by release train in this order: 3.3 to Patch 11, 3.4 to Patch 6, 3.5 to Patch 3, 3.2 to Patch 10, 3.1 to Patch 11. No workarounds. Full breakdown below.

2. Windows IKE Service Extensions - CVE-2026-33824 | Act Now | CVSS 9.8 unauthenticated RCE in the Windows IKE service. Anywhere you terminate or initiate IPsec on a Windows host is in scope. That includes site-to-site VPN concentrators, Windows Server RRAS, jump hosts and engineering workstations using IPsec tunnels to reach the OT network, and any Windows system exposing UDP/500 or UDP/4500 to an untrusted interface. Fix is the April Patch Tuesday update.

3. Siemens RUGGEDCOM CROSSBOW - SSA-741509 | Assess This Week | CVSS 8.8 privilege escalation in the Secure Access Manager Primary used by utilities to broker engineer access to substation devices. Fixed in V5.8. If you run CROSSBOW, this is the box you do not want compromised because everything else trusts it.

4. Schneider Modicon Networking Switches - SEVD-2026-104-02 | Assess This Week | CVSS 9.0 third-party vulnerability affecting Modicon Managed Switches, Modicon Redundancy Switches, and Connexium Managed Switches. This is the BlastRADIUS RADIUS protocol issue (CVE-2024-3596), which requires an on-path attacker who can intercept and modify RADIUS traffic between the switch and the RADIUS server, not a remote drive-by. Primary fix is a configuration change: enforce Message-Authenticator on both the RADIUS server and clients. Schneider also shipped firmware updates for switches that didn't previously support Message-Authenticator enforcement, so check the advisory to see if your platform needs both.

5. Helmholz myREX24V2 - VDE-2026-043 | Assess This Week | CVSS 9.1 cluster on Helmholz myREX24V2 remote access gateways, including the virtual appliance. These get deployed in water pump stations, small manufacturing, and remote monitoring applications where someone wanted cellular-backed remote access on a budget.

Cisco Identity Services Engine isn't an OT product. It's the RADIUS server, the NAC engine, the 802.1X policy plane that sits behind your Catalyst and IE-series switches. At a mid-size water authority or municipal utility, the same ISE cluster that authenticates a laptop plugging into a conference room port is often also authenticating the IE-3300 sitting in a pump station cabinet. Same policy engine, different VLANs.

That means ISE decides which VLAN a newly connected device lands on. It authenticates the engineering workstation that runs Studio 5000 or TIA Portal. It gates the jump host your vendor uses for remote support.

If an attacker has root on ISE, they don't need to find a PLC exploit. They just tell the network the laptop they plugged in belongs on the OT VLAN, and the switch agrees. ISE is the door to your OT VLAN, not a piece of the wall around it.

That first row is the one to stare at. cisco-sa-ise-unauth-rce-ZAd2GnJ6 was published June 25, 2025, revised in July, and affects ISE 3.3 and 3.4. No authentication needed. CVSS 10.0. Cisco PSIRT's own advisory page says, word for word, "In July 2025, the Cisco PSIRT became aware of attempted exploitation of CVE-2025-20281 and CVE-2025-20337 in the wild."

That was nine months ago. If you run 3.3 and you're not on Patch 7, or you run 3.4 and you're not on Patch 2, assume exploitation is active in the wild and your box is a candidate. This is not a "we'll schedule it for next change" conversation. This is the one where you stop reading and go check your ISE version.

The two new ones from last Tuesday are separate bugs, separate advisories, both 9.9. Patch them. But if you've been sitting on the 10.0 since last summer, that's the first domino.

Both of the new 9.9s require admin credentials. I've seen that used as a reason to deprioritize, and it's usually wrong.

The ISE admin account is not some tightly held secret in most shops. It gets shared during audits. It gets handed to a contractor doing a Catalyst refresh. It sits in a password manager half the security team has read access to. The "low privilege administrative" bar on cisco-sa-ise-rce-4fverepv is even lower, it's any account that can log into the ISE admin web UI, not a super admin.

Once an attacker is already on your corporate network, finding valid ISE admin credentials is a phishing email and a week of patience away. Authenticated RCE on the box that decides who gets on the OT VLAN is not a second-tier problem.

1. Inventory your ISE deployment. Primary, secondary, PSN, PIC, all of it. Versions and patch levels.
2. Patch by release train in this order. 3.3 and 3.4 first because of the exploited 10.0. Then 3.5 because it's the current long-term supported train and where most shops are heading next. Then 3.2 and 3.1, which are older and increasingly edge cases:
   • 3.3 to Patch 11
   • 3.4 to Patch 6
   • 3.5 to Patch 3
   • 3.2 to Patch 10
   • 3.1 to Patch 11
3. If you've been on 3.3 or 3.4 without the summer 2025 patches, assume the unauth 10.0 is already exploitable in your environment and review ISE admin audit logs going back to mid-2025 for unexpected API calls or file uploads before you patch.
4. Move the ISE admin interface onto a dedicated management VLAN, reachable only from hardened jump hosts. This doesn't fix any of the three CVEs, but it shrinks who can reach the attack surface in the first place.
5. Audit who actually has ISE admin credentials. Rotate. Cut the list.

Cisco lists no vendor-provided workarounds for any of the three, meaning there's no configuration change that closes the CVEs. The fix is the patch. The VLAN isolation step above is exposure reduction, not a substitute.