Patch now! Attacks on Cisco Identity Services Engine are imminent

Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) are vulnerable. Because exploit code is in circulation, attacks may be imminent. However, if attackers want to attack systems, they must overcome an obstacle. Security updates are available for download.

Software vulnerability

A warning message indicates that Cisco's IT access management solution is vulnerable via a security flaw (CVE-2026-20029) with a threat level of “medium.” Attacks are possible remotely, but attackers must already have administrator privileges. This is of course a high hurdle, but the available exploit code exacerbates the situation.

If the prerequisites are met, attackers can target the web management interface of vulnerable instances. There, they can upload prepared XML files. “This security vulnerability is due to improper processing of XML data processed by the web-based management interface of Cisco ISE and Cisco ISE-PIC,” Cisco explains. Subsequently, malicious actors can view data in the underlying system that is actually restricted even from administrators. What attackers can do with this data is currently unknown. Security researchers from Trend Micro Zero Day Initiative discovered the flaw.

No attacks observed yet

Cisco points to exploit code, but according to the network equipment manufacturer, there are currently no attacks. Administrators should therefore not wait too long and install a version secured against the described attack. There are no security updates for ISE and ISE-PIC before version 3.2. An upgrade to a still supported version is necessary here. Version 3.5 is not vulnerable. Versions 3.2 Patch 8, 3.3 Patch 8, and 3.4 Patch 4 are secured.

(des)