Cisco ISE authenticated command execution (CVE-2026-20147)

Overview

A critical vulnerability in Cisco Identity Services Engine (ISE) and ISE Policy Integration Client (ISE-PIC) allows authenticated administrators to execute arbitrary commands on the device’s underlying operating system. Tracked as CVE-2026-20147 with a maximum CVSS score of 9.9, this flaw stems from insufficient input validation in the web interface.

Vulnerability Details

The vulnerability exists because the affected software does not properly validate user-supplied input in specific HTTP requests. An attacker with valid administrative credentials can send a crafted HTTP request to exploit this weakness.

A successful exploit grants the attacker initial access at the user level on the host operating system. The attacker can then leverage this foothold to escalate privileges to the root level, gaining complete control over the appliance. In single-node ISE deployments, exploitation can also cause the node to become unavailable, creating a denial-of-service (DoS) condition. This would prevent new endpoints from authenticating to the network until service is restored.

Affected Products

This vulnerability affects the following Cisco products:

• Cisco Identity Services Engine (ISE)
• Cisco Identity Services Engine Policy Integration Client (ISE-PIC)

Administrators should consult the official Cisco Security Advisory for a detailed list of affected software versions. Cisco has released software updates that address this vulnerability.

Remediation and Mitigation

The primary and most effective action is to apply the relevant patch provided by Cisco. There are no workarounds that address this vulnerability.

Immediate Action Required:

1. Patch: Upgrade affected devices to a fixed software version as listed in the security advisory. This is the only complete remediation.
2. Principle of Least Privilege: Strictly enforce the principle of least privilege for administrative accounts. Since exploitation requires admin credentials, limiting the number of users with this level of access reduces the attack surface.
3. Network Controls: As a general best practice, restrict management interface access to trusted source IP addresses using network access control lists (ACLs).

While this vulnerability is not currently listed on CISA’s Known Exploited Vulnerabilities (KEV) catalog, its critical severity and potential impact warrant urgent patching.

Security Insight

This vulnerability highlights the persistent risk of improper input validation in network management interfaces, even for credentialed users. It echoes the pattern seen in incidents like the Interlock ransomware group’s exploitation of a Cisco FMC zero-day, where administrative access was leveraged for deeper system compromise. For critical infrastructure components like network access control systems, a “trust but verify” approach to all user input, regardless of privilege level, remains essential.

Further Reading

• Interlock Ransomware Exploits Cisco FMC Zero-Day
• CISA Warns of Zimbra, SharePoint Exploits; Cisco
• DarkSword iOS Exploit Kit Uses 6 Flaws, 3 Zero-Days for
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs