Cisco has patched a security flaw in its Identity Services Engine after a public proof-of-concept exploit was dropped. The vulnerability could have enabled hackers to attack corporate identity systems.
The vulnerability, tracked as CVE-2026-20029 with a CVSS score of 4.9, affects popular Cisco products widely used to secure corporate networks, specifically the Identity Services Engine (ISE) and the ISE Passive Identity Connector (ISE-PIC).
While Cisco rates the issue as medium severity, the existence of a working proof-of-concept (PoC) exploit has raised the stakes. A PoC exploit is a simple test that demonstrates a security flaw actually works in real-life scenarios and shows what an attacker could do.
The affected versions include:
- Cisco ISE or ISE-PIC releases earlier than 3.2 (upgrade required)
- Release 3.2 (fixed in Patch 8)
- Release 3.3 (fixed in Patch 8)
- Release 3.4 (fixed in Patch 4)
According to Cisco’s security advisory, the vulnerability in ISE’s licensing feature could allow attackers to expose sensitive configuration files, credentials, or internal system data.
“A successful exploit could allow the attacker to read arbitrary files from the underlying operating system that could include sensitive data that should otherwise be inaccessible even to administrators,” Cisco says.
According to the company, the vulnerability is due to “improper parsing of XML files” handled by the web-based management interface. An attacker could exploit this vulnerability by uploading a malicious file to the application.
However, the company highlights that the attacker “must have valid administrative credentials.”
The vulnerability was discovered and reported by Bobby Gould of Trend Micro’s Zero Day Initiative. Cisco confirmed that public PoC exploit code is now available.
The company says it has no evidence of exploitation in the wild. While there are no workarounds, the company is urging patching as the only fix.
Additional Cisco vulnerabilities fixed
Alongside the ISE fixes, Cisco also released patches for two additional medium-severity vulnerabilities in Snort 3, which affect how the detection engine processes DCE/RPC requests.
Reported by Trend Micro researcher Guy Lederfein, the vulnerabilities affected multiple Cisco platforms, including Secure Firewall Threat Defense (FTD) when Snort 3 is enabled, Cisco IOS XE, and Cisco Meraki products.
One vulnerability, CVE-2026-20026, could allow an unauthenticated attacker to trigger a denial-of-service condition, while the other, CVE-2026-20027, could lead to sensitive information disclosure.
Hackers targeting Cisco
Cisco products widely used in enterprise networks are frequent targets for attackers.Public scans have revealed that hackers can easily find 192,038 vulnerable Cisco network devices exposed on the internet. Many of them are likely still unpatched.
At the end of 2025, Cisco’s Talos researchers detected a critical vulnerability, tracked as CVE-2025-2039, potentially enabling the takeover of exposed email security appliances. The vulnerability affecting popular Cisco products has already been exploited in the wild by suspected China-aligned hackers.
In mid-2025, Cisco Systems reported that a vishing attack targeting one of its employees resulted in a data breach, exposing the personal information of Cisco.com user accounts through an unnamed third-party CRM system.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked