Critical Command Execution Vulnerability Patched in Cisco ISE
Cisco has patched a critical command execution vulnerability in Identity Services Engine (ISE) that could allow authenticated attackers to gain root-level access and disrupt network operations.
Cisco has released fixes for a critical-severity command execution vulnerability in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC), addressing a flaw that could allow authenticated attackers to take full control of affected systems.
Tracked as CVE-2026-20181 with a CVSS score of 9.1, the vulnerability stems from improper validation of user-supplied input. An attacker with valid administrative credentials can send a crafted HTTP request to the ISE web interface, triggering arbitrary command execution on the underlying operating system. Once user-level access is obtained, the attacker can escalate privileges to root, effectively compromising the entire device.
In single-node deployments, the flaw poses an additional risk: an attacker could exploit it to cause a denial-of-service (DoS) condition, preventing endpoints that have not yet authenticated from accessing the network until the node is restored. This could cripple network access for large segments of users, making the vulnerability particularly dangerous for organizations relying on ISE for network access control.
Cisco has addressed the bug with the release of ISE and ISE-PIC versions 3.3 Patch 11 and 3.4 Patch 6. A hotfix for ISE version 3.5 is also available and will be included in version 3.5 Patch 4, scheduled for August. The company says it is not aware of any of these security flaws being exploited in the wild, but given the critical severity and the requirement for administrative credentials, organizations should prioritize patching.
The updates also resolve a high-severity information disclosure defect, tracked as CVE-2026-20190, which could allow unauthenticated attackers to access sensitive data such as hashed credentials. On Wednesday, Cisco additionally released fixes for medium-severity vulnerabilities in the Webex App, the Umbrella Virtual Appliance, and the Crosswork Network Controller that could lead to malicious redirects, privilege escalation, and arbitrary command execution.
This latest advisory continues a pattern of critical command injection flaws in network infrastructure products. While the vulnerability requires authenticated access, the potential for privilege escalation to root and the DoS impact in single-node deployments make it a serious concern for enterprises that use ISE as a central policy enforcement point. Administrators are urged to apply the patches as soon as possible, as no workarounds are available.
The advisory also reveals a second critical vulnerability, CVE-2026-20190 (CVSS 8.6), which allows unauthenticated attackers to leak sensitive data including hashed credentials from affected ISE and ISE-PIC deployments. While the earlier report focused on the command execution flaw, this new information disclosure vector can be exploited remotely without authentication, enabling credential theft that could facilitate lateral movement. Cisco has released fixes in ISE 3.3 Patch 11 and 3.4 Patch 6, with a patch for ISE 3.5 Patch 4 expected in August 2026; no workarounds exist for either flaw.