CVE-2026-20180
Command Injection in Cisco ISE Allows Remote Root Access
Publication date: 2026-04-15
Last updated on: 2026-04-15
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | identity_services_engine | to 3.2 (exc) |
| cisco | identity_services_engine | 3.2_patch_8 |
| cisco | identity_services_engine | 3.3_patch_8 |
| cisco | identity_services_engine | 3.4_patch_4 |
| cisco | identity_services_engine | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Cisco Identity Services Engine (ISE) allows an authenticated remote attacker to execute arbitrary commands on the underlying operating system, potentially leading to full system compromise.
Such a compromise could impact the confidentiality, integrity, and availability of sensitive data managed or protected by the affected device.
This could lead to non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive personal and health information against unauthorized access and system disruptions.
Additionally, the potential denial of service (DoS) condition caused by exploitation could disrupt network access controls, further affecting compliance with availability and security requirements.
No specific compliance impact statements are provided in the available resources, but the critical severity and potential for full system compromise imply significant risk to regulatory compliance.
Can you explain this vulnerability to me?
CVE-2026-20180 is a critical remote code execution vulnerability in Cisco Identity Services Engine (ISE). It allows an authenticated remote attacker with at least Read Only Admin credentials to execute arbitrary commands on the underlying operating system of the affected device.
The vulnerability arises from insufficient validation of user-supplied input, which can be exploited by sending specially crafted HTTP requests to the device. Successful exploitation grants the attacker user-level OS access, which can then be escalated to root privileges.
In single-node ISE deployments, exploiting this vulnerability may cause the node to become unavailable, resulting in a denial of service (DoS) condition that prevents unauthenticated endpoints from accessing the network until the node is restored.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized execution of arbitrary commands on the device's operating system, potentially leading to full control of the system by an attacker.
An attacker could escalate privileges to root, compromising confidentiality, integrity, and availability of the system.
In single-node deployments, exploitation can cause denial of service, making the ISE node unavailable and preventing network access for endpoints that have not yet authenticated.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There are no specific detection commands or methods provided in the available information to identify this vulnerability on your network or system.
What immediate steps should I take to mitigate this vulnerability?
Cisco strongly recommends upgrading to fixed software releases to remediate these vulnerabilities as no workarounds are available.
- Upgrade Cisco Identity Services Engine (ISE) to version 3.2 Patch 8, 3.3 Patch 8, 3.4 Patch 4 or later.
- Ensure hardware and software compatibility before performing the upgrade.
- Contact Cisco Technical Assistance Center (TAC) for assistance if needed, with proof of entitlement for free upgrades.