
Critical Vulnerabilities in Cisco ISE Pose a Serious Threat to Corporate Network Security!
In corporate networks, the processes of identification, authentication, and access management are among the most critical components of information security. It is precisely for this reason that vulnerabilities discovered in this infrastructure can negatively impact the security of an organization’s entire information system.
Cisco recently announced the presence of several critical vulnerabilities in its widely used Identity Services Engine (ISE) and Identity Services Engine Passive Identity Connector (ISE-PIC) products. These vulnerabilities create the potential for remote code execution and disclosure of confidential information, posing a high level of threat to corporate networks.
These vulnerabilities are registered under identifiers CVE-2026-20181 and CVE-2026-20190 and were announced by Cisco on June 17, 2026. In terms of severity, they have been assigned a CVSS score of 9.1, indicating an extremely high level of risk.
CVE-2026-20181: Remote Code Execution Capability
One of the most dangerous vulnerabilities discovered is CVE-2026-20181, which arises from insufficient validation of user-supplied input.
To exploit this vulnerability, an attacker must possess administrative privileges on the system. Subsequently, they can send specially crafted HTTP requests and execute arbitrary commands on the vulnerable system.
Successful exploitation can lead to the following capabilities:
- execution of commands at the operating system level;
- obtaining privileges higher than those of a regular user;
- gaining root-level control;
- bypassing security mechanisms;
- establishing full control over the network infrastructure.
Furthermore, in single-node ISE environments, this vulnerability can also lead to a Denial of Service (DoS) condition. As a result, new devices and users will be unable to authenticate to the network, which can disrupt corporate operations.
CVE-2026-20190: Risk of Confidential Information Disclosure
The second vulnerability — CVE-2026-20190 — is related to improper authorization control and can be exploited by a remote attacker without authentication.
The attacker can send specially crafted requests and gain access to certain confidential information stored on the device. This may include:
- hashed authentication credentials;
- system configuration information;
- certain data regarding user and service accounts.
Such information can be used in subsequent stages of attacks, including password recovery, lateral movement, and privilege escalation.
Which Versions Are Affected?
According to Cisco, the vulnerabilities affect all versions of Cisco ISE and ISE-PIC to varying degrees. The company has released updates addressing the issue for the following versions:
- Cisco ISE 3.3 Patch 11;
- Cisco ISE 3.4 Patch 6.
Additionally, fixes for Cisco ISE 3.5 are planned to be released as part of Patch 4.
Organizations using unsupported older versions are strongly advised to migrate to supported versions as soon as possible.
It is important to note that Cisco has stated that no temporary mitigation measures or workarounds are available for these vulnerabilities. Therefore, updating the software is the only effective means of protection.
No Active Exploitation Detected So Far
According to the Cisco Product Security Incident Response Team (PSIRT), no confirmed cases of active exploitation of these vulnerabilities have been reported to date.
However, experience shows that critical vulnerabilities in identification and access management systems are rapidly studied and exploited by cybercriminals after public disclosure. Therefore, organizations should install updates without delay.
Recommendations for Organizations
Organizations utilizing Cisco ISE infrastructure are advised to take the following measures:
- immediately conduct an inventory of system versions;
- identify vulnerable versions and update them;
- restrict the use of administrator accounts;
- ensure that administrative interfaces are accessible only from trusted networks;
- regularly monitor HTTP requests and system logs;
- monitor suspicious activities related to privilege escalation;
- implement multi-factor authentication (MFA);
- strengthen network segmentation;
- enhance security incident detection and response mechanisms.
The vulnerabilities CVE-2026-20181 and CVE-2026-20190, discovered in Cisco ISE and ISE-PIC products, are assessed as one of the most serious threats to corporate identity infrastructure. Of particular concern is the vulnerability enabling remote code execution, which provides attackers with the ability to establish full control over the system.
This case once again demonstrates that identification and access management systems are not merely a tool for user authentication but a foundational element of overall corporate network security. Therefore, organizations must regularly update their infrastructure, strengthen security monitoring, and promptly remediate discovered vulnerabilities.



