Cisco Identity Services Engine Remote Code Execution Vulnerabilities

Plan PatchCVSS 9.9cisco-sa-ise-rce-4fverepvApr 15, 2026

Cisco

IT in OT - Cisco networking products are commonly deployed in OT environments

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Multiple remote code execution vulnerabilities in Cisco Identity Services Engine allow an authenticated attacker with read-only admin credentials to execute arbitrary commands on the ISE operating system. Exploitation begins with a crafted HTTP request sent to an affected device, exploiting insufficient input validation. Successful compromise allows the attacker to gain user-level access and escalate to root. In single-node deployments, this can cause a denial of service condition that prevents unauthenticated endpoints from accessing the network until the ISE node is restored.

What this means

What could happen

An attacker with read-only admin credentials could execute arbitrary commands on your ISE server and escalate to full system control, potentially shutting down the entire identity authentication system and denying network access to all un-authenticated endpoints.

Who's at risk

Network administrators and identity/access control teams running Cisco ISE for user authentication and network access control. Affects all organizations using ISE for 802.1X, guest access, or policy enforcement in enterprise networks.

How it could be exploited

An attacker with read-only admin credentials sends a crafted HTTP request to the ISE web interface, exploiting insufficient input validation to inject commands that execute with user privileges, then escalates those privileges to root access on the underlying operating system.

Prerequisites

Valid read-only admin credentials for ISE
Network access to ISE web interface (typically port 443)
Ability to authenticate to ISE

remotely exploitablerequires valid credentialslow complexityhigh CVSS score (9.9)can escalate to rootaffects authentication system availabilityno workarounds available

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (1)

ProductAffected VersionsFix Status

Identity Services Engine SoftwareAll versionsFix available

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict ISE web interface access (port 443) to only authorized administrator workstations and management networks using firewall rules

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Cisco Identity Services Engine Software to the patched version released by Cisco

HARDENINGReview and audit all ISE admin accounts; revoke or downgrade credentials that are not actively needed

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate ISE from general user networks

CVEs (2)

CVE-2026-20180 CVE-2026-20186

View full vendor advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c9b1625a-33ea-4bbc-9eec-0e974d9388d4

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.