Description
A vulnerability in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have at least Read Only Admin credentials.

This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. In single-node ISE deployments, successful exploitation of these vulnerabilities could cause the affected ISE node to become unavailable, resulting in a denial of service (DoS) condition. In that condition, endpoints that have not already authenticated would be unable to access the network until the node is restored.
Published: 2026-04-15
Score: 9.9 Critical
EPSS: n/a
KEV: No
Impact: Remote Code Execution
Action: Patch ASAP
AI Analysis

Impact

A flaw in Cisco Identity Services Engine (ISE) that allows an authenticated, remote attacker to send a specially crafted HTTP request to the ISE web interface. The insufficient validation of user input means the attacker can inject operating‑system commands. Once an exploit succeeds, the attacker gains user‑level access to the underlying OS and can then elevate privileges to root, giving full control over the device. In single‑node deployments, the attack can also crash the ISE node, causing a denial of service that blocks new endpoint authentications until the node is recovered.

Affected Systems

The vulnerability affects Cisco Identity Services Engine Software. No specific version numbers are disclosed in the advisory, so all deployments of ISE that have not applied a patch should be considered potentially vulnerable.

Risk and Exploitability

The vulnerability is rated CVSS 9.9, indicating a high severity level. The advisement does not list an EPSS score or a KEV designation. The attack requires remote access to the ISE management interface and the presence of a Read‑Only Admin credential, but it does not rely on other uncommon prerequisites. Because the vector is remote over HTTP, attackers with sufficient network access could launch the exploit without interacting with local users. The combined impact on confidentiality, integrity, and availability makes this an urgent risk that should be addressed promptly.

Generated by OpenCVE AI on April 15, 2026 at 19:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available Cisco ISE security patch or update that addresses the HTTP input validation flaw.
  • Restrict access to the ISE management interface by limiting it to a trusted internal network segment and enforce strong network segmentation and firewall rules.
  • Enforce the principle of least privilege – remove unnecessary Read‑Only Admin accounts and use role‑based access control to limit credentials that can be used to exploit the vulnerability.

Generated by OpenCVE AI on April 15, 2026 at 19:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description A vulnerability in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have at least Read Only Admin credentials. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. In single-node ISE deployments, successful exploitation of these vulnerabilities could cause the affected ISE node to become unavailable, resulting in a denial of service (DoS) condition. In that condition, endpoints that have not already authenticated would be unable to access the network until the node is restored.
Title Cisco Identity Services Engine Multiple Remote Code Execution Vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-04-16T03:55:33.630Z

Reserved: 2025-10-08T11:59:15.393Z

Link: CVE-2026-20180

cve-icon Vulnrichment

Updated: 2026-04-15T16:56:22.641Z

cve-icon NVD

Status : Received

Published: 2026-04-15T17:17:03.460

Modified: 2026-04-15T17:17:03.460

Link: CVE-2026-20180

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T19:30:12Z

Weaknesses