Cisco warns of critical ISE flaw that can let admins execute code remotely

Cisco has patched two serious vulnerabilities in Cisco Identity Services Engine and Cisco ISE Passive Identity Connector, including a critical remote code execution flaw that can let an authenticated attacker run commands on the underlying operating system. The flaws are tracked as CVE-2026-20181 and CVE-2026-20190.

The Cisco security advisory was first published on June 17, 2026 and updated on June 19, 2026. Cisco assigned the advisory an overall critical rating and said there are no workarounds, so affected organizations need to install fixed software.

Cisco ISE is sensitive infrastructure because it helps organizations decide who and what can access corporate networks. Cisco describes Cisco Identity Services Engine as a policy decision point that gathers intelligence to authenticate users and endpoints and help contain threats.

What Cisco fixed in ISE and ISE-PIC

The first vulnerability, CVE-2026-20181, affects Cisco ISE and ISE-PIC and can allow an authenticated remote attacker with valid administrative credentials to execute arbitrary commands. Cisco says the issue stems from insufficient validation of user-supplied input.

The second vulnerability, CVE-2026-20190, can allow an unauthenticated remote attacker to view sensitive information on an affected device. Cisco says the issue comes from improper authorization checks when a resource is accessed.

Both vulnerabilities affect Cisco ISE and Cisco ISE-PIC, regardless of device configuration. Cisco also says the flaws are independent, which means exploitation of one is not required to exploit the other.

CVE	Severity	CVSS score	Access required	Potential impact
CVE-2026-20181	Critical	9.1	Authenticated attacker with valid administrative credentials	Remote command execution, privilege escalation to root, and possible denial of service
CVE-2026-20190	High	7.5	Unauthenticated remote attacker	Exposure of sensitive information, including hashed credentials

Why CVE-2026-20181 is critical

CVE-2026-20181 can be exploited by sending a crafted HTTP request to an affected Cisco ISE or ISE-PIC device. A successful attack can give the attacker user-level access to the underlying operating system and then allow escalation to root.

That makes the flaw especially serious for identity and network access environments. An attacker with control over an ISE node could disrupt authentication workflows, tamper with access-control infrastructure, or use the appliance as a foothold for further activity.

In single-node deployments, Cisco warns that successful exploitation could make the affected ISE node unavailable. Endpoints that had not already authenticated would be unable to access the network until the node is restored.

The information disclosure bug adds another risk

CVE-2026-20190 does not require authentication, which makes it important even though Cisco rates it lower than the RCE flaw. An attacker can exploit it by sending crafted traffic to an affected system.

If successful, the attacker can access sensitive information, including hashed credentials. Those credentials could support further attacks if they are cracked, reused, relayed, or combined with other access paths.

This is why the two bugs create a dangerous combination for defenders. One flaw can expose sensitive data remotely, while the other can allow code execution if an attacker already has valid administrative credentials.

• Identity infrastructure often has visibility across users, devices, and network access policies.
• Hashed credentials can support follow-on credential attacks.
• Administrative access to ISE can give attackers a path into high-value network control systems.
• Single-node deployments face added availability risk if the node becomes unavailable.

Which Cisco ISE versions need updates?

Cisco has released fixes for several supported release trains. Administrators should check their installed version and patch level against Cisco’s fixed software table before choosing an upgrade path.

The Cisco ISE release notes page lists current release documentation for Cisco ISE 3.5, 3.4, 3.3, 3.2, and 3.1. Organizations should use the release documentation together with the security advisory before making production changes.

Earlier releases require migration to a fixed release for CVE-2026-20181. Cisco says releases earlier than 3.3 are not vulnerable to CVE-2026-20190, but they still need a migration path if exposed to the RCE issue.

Cisco ISE or ISE-PIC release	Fix for CVE-2026-20181	Fix for CVE-2026-20190
Earlier than 3.3	Migrate to a fixed release	Not vulnerable
3.3	3.3 Patch 11	Not vulnerable
3.4	3.4 Patch 6	3.4 Patch 6
3.5	3.5 Patch 4 planned for August 2026, or hot patch for 3.5 Patch 3	3.5 Patch 4 planned for August 2026, or hot patch for 3.5 Patch 3

No workaround is available

Cisco says there are no workarounds that address these vulnerabilities. The company recommends upgrading to the fixed software indicated in the advisory rather than relying on temporary mitigations.

The broader Cisco Security Advisories listing also shows the ISE advisory as critical and includes CVE-2026-20181 and CVE-2026-20190. Security teams should monitor that page for any future updates.

Cisco PSIRT said it was not aware of public announcements or malicious use of the vulnerabilities at the time of the advisory. That does not reduce the need to patch, because identity infrastructure often becomes a priority target after technical details become public.

How organizations should respond

Organizations using Cisco ISE should first identify every ISE and ISE-PIC deployment, including lab systems, disaster recovery nodes, and appliances that are not directly exposed to the internet. Internal exposure still matters because attackers often use stolen credentials after gaining a foothold elsewhere.

Administrators should then confirm whether management interfaces are reachable only from trusted networks. Even though the RCE flaw requires valid administrative credentials, limiting access to the management plane can reduce attack opportunities.

The release notes should be reviewed before patching, especially for large clusters and managed environments. Cisco ISE upgrades can affect authentication workflows, certificates, integrations, and endpoint access behavior.

• Inventory all Cisco ISE and ISE-PIC nodes.
• Check each node’s release and patch level.
• Install 3.3 Patch 11 or 3.4 Patch 6 where applicable.
• Contact Cisco TAC for the 3.5 Patch 3 hot patch if running Cisco ISE 3.5.
• Plan for 3.5 Patch 4 when it becomes available in August 2026.
• Restrict management access to trusted administrator networks.
• Review admin accounts, roles, and recent login activity.
• Monitor for unusual HTTP requests against Cisco ISE management interfaces.

Why Cisco ISE exposure is high impact

Cisco ISE sits close to authentication, authorization, profiling, posture, guest access, and policy enforcement decisions. If attackers compromise that layer, the impact can extend beyond one appliance.

The Cisco ISE product page describes ISE as part of zero-trust architecture, helping ensure that only trusted users and devices can access resources. That role explains why organizations should treat ISE patching as a high-priority infrastructure task.

Security teams should also review related integrations, including Active Directory, RADIUS, TACACS+, network access devices, endpoint posture systems, and logging platforms. A compromised identity policy system can create confusing downstream effects across the network.

Defensive area	Recommended action
Management access	Limit administrative access to dedicated networks and trusted jump hosts
Accounts	Review local and external admin accounts for unusual changes
Logs	Search for crafted HTTP requests, failed admin attempts, and unexpected session activity
Credentials	Reset or rotate credentials if suspicious access is found
Availability	Check high availability and backup plans for single-node or critical deployments

Who reported the vulnerabilities?

Cisco credited Jonathan Lein of TrendAI Research for reporting CVE-2026-20181. Cisco also thanked Li Jiantao and Tevel Sho of STAR Labs SG Pte. Ltd. for independently reporting the same RCE vulnerability.

Cisco credited Bobby Gould of TrendAI Zero Day Initiative for reporting CVE-2026-20190. The coordinated reporting gave Cisco time to release fixes before any known malicious use was reported.

The Cisco Security Advisories page remains the best place to check whether Cisco updates the advisory, adds new detection guidance, or changes fixed-release details.

Bottom line

The Cisco ISE flaws are serious because they affect identity and network access infrastructure. CVE-2026-20181 can lead to remote command execution by an attacker with valid administrative credentials, while CVE-2026-20190 can expose sensitive information to an unauthenticated remote attacker.

The Cisco advisory makes clear that no workaround is available. Patching or migrating to a fixed release is the only complete remediation path.

Organizations should prioritize Cisco ISE updates, restrict administrator access, review logs, and prepare response steps in case exposed credentials or suspicious management activity are found.

FAQ