Cisco ISE RCE Flaws

Cisco disclosed two critical security advisories on April 15 for Identity Services Engine, a central access-control product, warning that attackers with admin access can run commands on the underlying operating system. (cisco.com) Identity Services Engine, or ISE, is the system many companies use to decide which users and devices can join wired, wireless, and virtual private network sessions. Cisco’s own documentation calls it an identity-based network access control and policy enforcement system and a policy decision point in zero-trust deployments. (cisco.com, cisco.com) In one April 15 advisory, Cisco said CVE-2026-20180 and CVE-2026-20186 carry a CVSS severity score of 9.9 out of 10 and affect Cisco ISE regardless of device configuration. The company said exploitation requires at least Read Only Admin credentials and starts with a crafted HTTP request. (cisco.com) In a second April 15 advisory, Cisco said CVE-2026-20147 and CVE-2026-20148 also score 9.9 and affect both ISE and ISE Passive Identity Connector, or ISE-PIC. Cisco said those flaws require valid administrative credentials and can be used for remote code execution or path traversal, which is a way to reach files outside the intended folder. (cisco.com) Cisco said the bugs stem from insufficient validation of user-supplied input, meaning the software does not properly check what an authenticated administrator sends it. A successful exploit can give an attacker user-level operating-system access and then let that attacker elevate privileges to root. (cisco.com, cisco.com) Cisco said single-node ISE deployments face an added risk: a successful exploit can make the node unavailable and block new endpoints from joining the network until the system is restored. That turns an access-control server into a potential outage point for offices, campuses, and remote-access users that depend on it. (cisco.com, cisco.com) Cisco said there are no workarounds for either advisory and told customers to install fixed software. The company’s ISE security advisory list shows these disclosures landed alongside other ISE notices on April 15, including cross-site scripting and privilege-escalation issues. (cisco.com, cisco.com) The April 15 disclosures also extend a busy run for ISE security fixes. Cisco’s advisory history shows unauthenticated remote code execution flaws in June and July 2025, authenticated remote code execution flaws in July 2025, and insecure deserialization and authorization-bypass issues in February 2025. (cisco.com, cisco.com, cisco.com, cisco.com) For defenders, the immediate question is not only patching but also who already holds ISE administrative access, including read-only roles that Cisco said are enough for one exploit path. On a product that sits in the middle of authentication and policy decisions, that makes admin accounts, management interfaces, and segmentation boundaries the first places to review. (cisco.com, cisco.com)