Description
A vulnerability in Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have valid administrative credentials.

This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. In single-node ISE deployments, successful exploitation of this vulnerability could cause the affected ISE node to become unavailable, resulting in a denial of service (DoS) condition. In that condition, endpoints that have not already authenticated would be unable to access the network until the node is restored.
Published: 2026-04-15
Score: 9.9 Critical
EPSS: n/a
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

A flaw in Cisco ISE and Cisco ISE‑PIC arises from insufficient validation of user input in a HTTP request, allowing a remote attacker with valid administrative credentials to run arbitrary commands on the host operating system. If the exploit succeeds, the attacker first gains user‑level access and can then elevate privileges to root. In addition, a single‑node ISE deployment can be brought down, causing a denial of service that isolates endpoints until the node is restored.

Affected Systems

The vulnerability affects Cisco ISE Passive Identity Connector and Cisco Identity Services Engine Software. No specific version information is disclosed, implying that all current releases are potentially impacted until a patch is released by Cisco.

Risk and Exploitability

The CVSS score of 9.9 indicates a critical level of threat, but the EPSS score is not available, so the current exploitation probability remains uncertain. The vulnerability is not listed in the CISA KEV catalog. The attacker must be authenticated as an administrator on the device, obtained via legitimate credentials, then send a crafted HTTP request from a remote network. Successful exploitation would provide the attacker with full control over the underlying operating system, enabling data theft, persistence or the shutdown of the ISE node, which would disrupt network authentication for all un‑authenticated endpoints.

Generated by OpenCVE AI on April 15, 2026 at 19:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Cisco ISE and ISE‑PIC to the latest firmware or software release that contains the fix.
  • Restrict administrative access to the ISE nodes to trusted internal networks and enforce strong authentication methods.
  • Apply network segmentation and firewall rules to block unsolicited HTTP requests to the ISE management endpoints.
  • Monitor system logs for unexpected privilege‑escalation and command‑execution activity and alert on anomalies.

Generated by OpenCVE AI on April 15, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description A vulnerability in Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have valid administrative credentials. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. In single-node ISE deployments, successful exploitation of this vulnerability could cause the affected ISE node to become unavailable, resulting in a denial of service (DoS) condition. In that condition, endpoints that have not already authenticated would be unable to access the network until the node is restored.
Title Cisco Identity Services Engine Remote Code Execution Vulnerability
Weaknesses CWE-77
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-04-16T03:55:35.113Z

Reserved: 2025-10-08T11:59:15.385Z

Link: CVE-2026-20147

cve-icon Vulnrichment

Updated: 2026-04-15T16:56:32.745Z

cve-icon NVD

Status : Received

Published: 2026-04-15T17:17:02.410

Modified: 2026-04-15T17:17:02.410

Link: CVE-2026-20147

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T19:30:12Z

Weaknesses