Cisco patches Identity Services Engine flaw after public exploit release
Take action: This is not an urgent flaw, but it's wise to plan an update since there's a PoC exploit. It will be bundled in second stage attacks after compromise of user credentials. So plan an update to your Cisco ISE, and for good measure check if you can isolate from public networks.
Learn More
Cisco has released a security updates to address a medium-severity vulnerability in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC).
The flaw is tracked as CVE-2026-20029 (CVSS score 4.9) - XML External Entity (XXE) processing vulnerability in Cisco ISE and ISE-PIC. It's caused by improper parsing of XML data within the web-based management interface's licensing feature.
The vulnerability allows an authenticated remote attacker with administrative privileges to read arbitrary files from the underlying operating system. By uploading a maliciously crafted XML file to the application, an attacker can bypass intended access restrictions to view sensitive data that should remain inaccessible even to administrators.
A public proof-of-concept (PoC) exploit is currently available, increasing the risk of exploitation, although Cisco reports no known malicious use in the wild at this time.
Cisco recommends that administrators upgrade to fixed releases immediately, as no manual workarounds exist for these flaws. Fixed versions for ISE include 3.2 Patch 8, 3.3 Patch 8, and 3.4 Patch 4. Version 3.5 is confirmed as not vulnerable.
