Description
A vulnerability in Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have valid administrative credentials.

This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. In single-node ISE deployments, successful exploitation of this vulnerability could cause the affected ISE node to become unavailable, resulting in a denial of service (DoS) condition. In that condition, endpoints that have not already authenticated would be unable to access the network until the node is restored.
Published: 2026-04-15
Score: 9.9 Critical
EPSS: 10.9% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability in Cisco Identity Services Engine (ISE) and the ISE Passive Identity Connector (ISE‑PIC) stems from insufficient validation of user‑supplied input in HTTP requests. An attacker who is authenticated with administrator credentials can send a specially crafted request that is executed on the underlying operating system. Successful exploitation initially grants user‑level access, after which the attacker can elevate privileges to root, enabling arbitrary command execution on the host and potentially leading to a denial‑of‑service if a single‑node ISE node is taken offline.

Affected Systems

The vulnerability affects Cisco ISE Passive Identity Connector and Cisco Identity Services Engine Software. No specific version numbers are disclosed in the advisory, so the scope of affected releases cannot be determined from the available data.

Risk and Exploitability

The CVSS score of 9.9 classifies this flaw as critical. The EPSS score of 11% indicates a moderate probability that attackers will attempt exploitation. Since it is not listed in the CISA KEV catalog, no publicly known exploit is documented. Exploitation requires authenticated access to the ISE web interface and delivery of a crafted HTTP request; upon success, the attacker obtains full control of the underlying operating system.

Generated by OpenCVE AI on June 24, 2026 at 12:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Cisco ISE and ISE‑PIC firmware to the latest release that contains the fix.
  • Restrict administrative access to the ISE nodes to internal networks only and enforce strong authentication methods.
  • Configure firewall rules or network segmentation to limit unsolicited HTTP traffic to the ISE management interfaces.

Generated by OpenCVE AI on June 24, 2026 at 12:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Cisco
Cisco identity Services Engine Passive Identity Connector
Cisco identity Services Engine Software
Vendors & Products Cisco
Cisco identity Services Engine Passive Identity Connector
Cisco identity Services Engine Software

Wed, 15 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description A vulnerability in Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have valid administrative credentials. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. In single-node ISE deployments, successful exploitation of this vulnerability could cause the affected ISE node to become unavailable, resulting in a denial of service (DoS) condition. In that condition, endpoints that have not already authenticated would be unable to access the network until the node is restored.
Title Cisco Identity Services Engine Remote Code Execution Vulnerability
Weaknesses CWE-77
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Cisco Identity Services Engine Passive Identity Connector Identity Services Engine Software
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-04-16T03:55:35.113Z

Reserved: 2025-10-08T11:59:15.385Z

Link: CVE-2026-20147

cve-icon Vulnrichment

Updated: 2026-04-15T16:56:32.745Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-15T17:17:02.410

Modified: 2026-06-17T10:17:12.147

Link: CVE-2026-20147

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:45:04Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')