CVE-2026-20147
Command Injection in Cisco ISE Allows Remote Root Access
Publication date: 2026-04-15
Last updated on: 2026-04-15
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | ise | * |
| cisco | ise-pic | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Cisco ISE and Cisco ISE-PIC and allows an authenticated remote attacker to execute arbitrary commands on the underlying operating system of the affected device.
To exploit this vulnerability, the attacker must have valid administrative credentials and send a specially crafted HTTP request to the device.
The root cause is insufficient validation of user-supplied input, which enables the attacker to gain user-level access and then escalate privileges to root.
How can this vulnerability impact me? :
Exploitation of this vulnerability can allow an attacker to execute arbitrary commands with root privileges on the affected device.
In single-node ISE deployments, successful exploitation could cause the node to become unavailable, resulting in a denial of service (DoS) condition.
During a DoS condition, endpoints that have not yet authenticated would be unable to access the network until the node is restored.
What immediate steps should I take to mitigate this vulnerability?
This vulnerability requires valid administrative credentials to exploit and involves sending crafted HTTP requests to affected Cisco ISE or Cisco ISE-PIC devices.
Immediate mitigation steps include restricting administrative access to trusted personnel only and monitoring for unusual HTTP requests to the device.
Additionally, consider isolating affected nodes to prevent denial of service conditions and restoring nodes promptly if they become unavailable.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated attacker to execute arbitrary commands on the underlying operating system of affected Cisco ISE devices, potentially leading to unauthorized access and denial of service.
Such unauthorized access and potential service disruption could impact the confidentiality, integrity, and availability of sensitive data managed or protected by these devices.
Therefore, exploitation of this vulnerability could lead to non-compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and maintaining system availability.