Description
A vulnerability in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have at least Read Only Admin credentials.

This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. In single-node ISE deployments, successful exploitation of these vulnerabilities could cause the affected ISE node to become unavailable, resulting in a denial of service (DoS) condition. In that condition, endpoints that have not already authenticated would be unable to access the network until the node is restored.
Published: 2026-04-15
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A command injection flaw in Cisco Identity Services Engine allows an attacker who can authenticate with at least Read Only Admin credentials to send a crafted HTTP request and execute arbitrary commands on the underlying operating system. The insufficient input validation leads to arbitrary code execution, giving the attacker user‑level access on the OS and the possibility to elevate privileges to root. In single‑node installations the resulting compromise can render the ISE node unavailable, causing a denial‑of‑service that blocks unauthenticated endpoints from reaching the network until the node is restored.

Affected Systems

Cisco Identity Services Engine Software is affected; no specific version information is supplied, so any deployment of this product is potentially vulnerable.

Risk and Exploitability

The flaw scores a CVSS of 9.9, indicating critical severity. Exploitation requires authenticated access, so the risk is concentrated on systems where Read Only Admin credentials exist. Because the vulnerability is not listed in KEV and EPSS data is unavailable, there is no current evidence of widespread exploitation, but the impact remains high should an attacker gain legitimate credentials. Attackers can launch the exploit by crafting an HTTP request directed at the vulnerable endpoint, leveraging the lack of command‑input sanitization.

Generated by OpenCVE AI on April 15, 2026 at 22:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Cisco ISE security patch or upgrade to a version that contains the fix for the command‑injection vulnerability.
  • Restrict Read Only Admin access by enforcing least privilege – limit the number of users with administrative rights, change default passwords, and audit authentication logs for suspicious activity.
  • Configure IP‑based access controls (e.g., firewall rules, VPN, or IP‑whitelisting) to restrict remote connections to the ISE management interfaces.
  • Continuously monitor ISE system logs for unexpected shell execution or anomalous command patterns to detect potential exploitation attempts.

Generated by OpenCVE AI on April 15, 2026 at 22:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Cisco
Cisco identity Services Engine Software
Vendors & Products Cisco
Cisco identity Services Engine Software

Wed, 15 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description A vulnerability in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have at least Read Only Admin credentials. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to&nbsp;root. In single-node ISE deployments, successful exploitation of these vulnerabilities could cause the affected ISE node to become unavailable, resulting in a denial of service (DoS) condition. In that condition, endpoints that have not already authenticated would be unable to access the network until the node is restored.
Title Cisco Identity Services Engine Multiple Authenticated Remote Code Execution Vulnerability
Weaknesses CWE-77
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Cisco Identity Services Engine Software
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-04-16T03:55:36.590Z

Reserved: 2025-10-08T11:59:15.394Z

Link: CVE-2026-20186

cve-icon Vulnrichment

Updated: 2026-04-15T16:56:28.669Z

cve-icon NVD

Status : Received

Published: 2026-04-15T17:17:03.933

Modified: 2026-04-15T17:17:03.933

Link: CVE-2026-20186

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:12:46Z

Weaknesses