You are currently viewing Public PoC Released for Cisco ISE Information Disclosure Flaw

Public PoC Released for Cisco ISE Information Disclosure Flaw

  • Post author:
  • Reading time:3 mins read

Cisco has recently addressed a medium-severity security vulnerability in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC). The vulnerability, identified as CVE-2026-20029, has a public proof-of-concept (PoC) exploit available, prompting a swift response from the networking giant. This flaw could allow an authenticated, remote attacker with administrative privileges to gain unauthorized access to sensitive information.

Vulnerability Details

The vulnerability, tracked as CVE-2026-20029, stems from improper parsing of XML data within the web-based management interface of Cisco ISE and ISE-PIC. The CVSS score is 4.9. An attacker can exploit this by uploading a malicious file to the application. Successful exploitation could allow the attacker to read arbitrary files from the underlying operating system, potentially exposing sensitive data that should be inaccessible even to administrators.

Affected Products

The vulnerability affects all Cisco ISE and ISE-PIC deployments, regardless of configuration. Specifically, the following releases are impacted:

  • Cisco ISE or ISE-PIC Release earlier than 3.2
  • Cisco ISE or ISE-PIC Release 3.2
  • Cisco ISE or ISE-PIC Release 3.3
  • Cisco ISE or ISE-PIC Release 3.4

Root Cause

The root cause of this vulnerability lies in the improper parsing of XML data processed by the web-based management interface of Cisco ISE and Cisco ISE-PIC. This improper parsing can be exploited by uploading a malicious file, leading to unauthorized file access.

Impact & Exploit Potential

The vulnerability requires administrative privileges to exploit, which is the primary barrier to entry. However, if an attacker has already compromised administrative credentials, they could leverage this vulnerability to read arbitrary files from the affected system. Although Cisco and Trend Micro’s Zero Day Initiative (ZDI) are not aware of any in-the-wild exploitation, the existence of a public PoC exploit increases the likelihood of future exploitation.

Tactics, Techniques, and Procedures (TTPs)

The vulnerability enables attackers to access sensitive information. The observed technique is:

  • T1005 – Data from Local System: Attackers gain access to data residing on the local system.

Mitigation & Recommendations

Cisco has released patches to address this vulnerability. It is strongly recommended that users upgrade to the fixed software versions as soon as possible to avoid potential exploitation. The fixed releases are:

  • Cisco ISE or ISE-PIC Release 3.2 Patch 8
  • Cisco ISE or ISE-PIC Release 3.3 Patch 8
  • Cisco ISE or ISE-PIC Release 3.4 Patch 4
  • Cisco ISE or ISE-PIC Release 3.5 (Not vulnerable)

Cisco considers any workarounds and mitigations to be temporary solutions and strongly recommends upgrading to the fixed software to fully address the vulnerability and avoid future exposure.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.