top of page
perceptive_background_267k.jpg

Cisco warns of Identity Service Engine flaw with exploit code

Published:

8 January 2026 at 09:13:17

Alert date:

8 January 2026 at 10:01:52

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Network Infrastructure, Identity & Access, Zero-Day Vulnerabilities

Cisco has patched a vulnerability in its Identity Service Engine (ISE) that has public proof-of-concept exploit code available. The flaw can be exploited by attackers who have administrative privileges on the system. The existence of public exploit code increases the risk of exploitation, making this a high-priority security issue for organizations using Cisco ISE. Organizations should prioritize applying the available patches to mitigate potential attacks.

Technical details

CVE-2026-20029 is an XML External Entity (XXE) vulnerability affecting Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC). The flaw is due to improper parsing of XML processed by the web-based management interface. Attackers with administrative credentials can exploit this by uploading a malicious file to read arbitrary files from the underlying operating system, potentially accessing sensitive data normally inaccessible even to administrators. Public proof-of-concept exploit code is available online.

Mitigation steps:

Upgrade to fixed software versions: ISE 3.2 Patch 8, ISE 3.3 Patch 8, ISE 3.4 Patch 4, or migrate versions earlier than 3.2 to a fixed release. ISE 3.5 is not vulnerable. For CVE-2025-20393, secure and restrict access to vulnerable appliances by restricting connections to trusted hosts, limiting internet access, and placing them behind firewalls to filter traffic until patches are available.

Affected products:

Cisco Identity Services Engine (ISE) - versions earlier than 3.2
3.2
3.3
3.4
Cisco ISE Passive Identity Connector (ISE-PIC) - versions earlier than 3.2
3.2
3.3
3.4
Cisco IOS XE with Snort 3 Detection Engine
Cisco AsyncOS Secure Email and Web Manager (SEWM)
Cisco AsyncOS Secure Email Gateway (SEG)

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-20029
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-xxe-jWSbSDKt
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort3-dcerpc-vulns-J9HNF4tH
https://www.bleepingcomputer.com/news/security/hackers-exploited-citrix-cisco-ise-flaws-in-zero-day-attacks/
https://www.bleepingcomputer.com/news/security/max-severity-cisco-ise-bug-allows-pre-auth-command-execution-patch-now/
https://www.bleepingcomputer.com/news/security/cisco-maximum-severity-ise-rce-flaws-now-exploited-in-attacks/
https://www.bleepingcomputer.com/news/security/exploit-available-for-critical-cisco-ise-bug-exploited-in-attacks/
https://www.bleepingcomputer.com/news/security/cisco-warns-of-unpatched-asyncos-zero-day-exploited-in-attacks/

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page