Introduction
A critical command injection flaw in Cisco Identity Services Engine allows an authenticated administrator to break out of the application layer, land on the underlying operating system, and escalate all the way to root. For the many enterprises that rely on Cisco ISE as their sole network access control gateway, this vulnerability (scored CVSS 9.9) introduces a direct path from compromised admin credentials to full infrastructure compromise and, in single node deployments, a network wide denial of service.
Technical Information
CVE-2026-20147 is tracked under Cisco Bug ID CSCws52738 and classified as CWE-77 (Command Injection). The root cause is insufficient validation of user-supplied input within the web management interface of Cisco ISE and Cisco ISE Passive Identity Connector (ISE-PIC). When an authenticated administrator submits a crafted HTTP request, the input is not properly sanitized before being passed to the underlying operating system. This allows injected commands to be interpreted and executed at the OS level.
The full CVSS 3.1 vector is:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
This vector reflects a network accessible attack surface, low attack complexity, low privilege requirements (valid admin credentials), no user interaction, and a changed scope with high impact across confidentiality, integrity, and availability. The changed scope designation is significant: it indicates the attacker breaks out of the vulnerable component (the ISE web application) and impacts the underlying operating system, which is a separate security authority.
Attack Flow
The exploitation chain proceeds through four stages:
-
Credential acquisition: The attacker must first obtain valid administrative credentials for the Cisco ISE or ISE-PIC web interface. This could be achieved through phishing, credential reuse, or compromise of a credential store.
-
Crafted HTTP request: The attacker constructs and sends a specially crafted HTTP request to the ISE management interface. The request targets the vulnerable input validation path, embedding OS commands within the user-supplied input.
-
User-level OS access: Upon successful injection, the attacker obtains user-level access to the underlying operating system of the ISE appliance.
-
Privilege escalation to root: From this initial foothold, the attacker escalates privileges to root, gaining full control over the device and its configuration, certificates, and network policy data.
Denial of Service Impact in Single Node Deployments
In single-node ISE deployments, successful exploitation can cause the affected ISE node to become completely unavailable. Because ISE serves as the authentication and authorization gateway, this creates a denial of service condition where endpoints that have not already authenticated are unable to access the network until the node is restored. Organizations running ISE in a single-node configuration face a compounded risk: not only infrastructure compromise, but also a potential network outage.
Companion Vulnerability: CVE-2026-20148
Cisco disclosed a companion vulnerability alongside CVE-2026-20147. CVE-2026-20148 (Bug ID CSCws52717) is a path traversal vulnerability with a CVSS base score of 4.9. It also requires valid administrative credentials and is caused by improper validation of user-supplied input. By sending a crafted HTTP request, an attacker can perform path traversal attacks to access and read sensitive arbitrary files on the underlying operating system. The two vulnerabilities are independent; exploitation of one does not require exploitation of the other. Both are addressed in the same patch cycle.
Patch Information
Cisco has officially released software updates that address CVE-2026-20147 as part of advisory cisco-sa-ise-rce-traversal-8bYndVrZ, published on April 15, 2026. The patch tightens input validation to prevent crafted HTTP requests from reaching the underlying operating system and being interpreted as executable commands.
Cisco has explicitly stated that no workarounds exist. Upgrading to a patched release is the only remediation path.
The fixed software releases span multiple major ISE and ISE-PIC branches. Administrators should identify their current release and upgrade accordingly:
| Cisco ISE / ISE-PIC Release | First Fixed Release |
|---|---|
| Earlier than 3.1 | Migrate to a fixed release |
| 3.1 | 3.1 Patch 11 (Apr 2026) |
| 3.2 | 3.2 Patch 10 (Apr 2026) |
| 3.3 | 3.3 Patch 11 (Apr 2026) |
| 3.4 | 3.4 Patch 6 (Apr 2026) |
| 3.5 | 3.5 Patch 3 |
Several important notes on the fixed release table:
- For deployments running releases earlier than 3.1, Cisco does not provide a direct patch. Those environments must be migrated to a supported release that includes the fix.
- Cisco ISE-PIC has reached end-of-sale status, with release 3.4 being the last supported version. ISE-PIC users should apply 3.4 Patch 6 as their terminal fix.
- The patches listed above address both CVE-2026-20147 and the companion path traversal vulnerability CVE-2026-20148 in a single update cycle. Administrators applying any of the listed patches will remediate both CVEs simultaneously.
The advisory was released with a status of "Final," meaning no further revisions to the fixed release information are expected. The fix is available through normal Cisco software download channels. Administrators should consult the Upgrade Guides on the Cisco ISE support page for step-by-step upgrade instructions specific to their deployment.
Affected Systems and Versions
The vulnerability affects Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) regardless of device configuration. The following releases are confirmed vulnerable:
- All Cisco ISE and ISE-PIC releases earlier than 3.1
- Cisco ISE / ISE-PIC 3.1 (versions prior to 3.1 Patch 11)
- Cisco ISE / ISE-PIC 3.2 (versions prior to 3.2 Patch 10)
- Cisco ISE / ISE-PIC 3.3 (versions prior to 3.3 Patch 11)
- Cisco ISE / ISE-PIC 3.4 (versions prior to 3.4 Patch 6)
- Cisco ISE 3.5 (versions prior to 3.5 Patch 3)
Single-node ISE deployments carry elevated risk due to the potential for complete network access denial of service upon successful exploitation.
Cisco ISE-PIC has reached its end-of-sale date, with release 3.4 being the last supported version.
Vendor Security History
Cisco PSIRT aligns its disclosure practices with ISO/IEC 29147:2018, which establishes international guidelines for vulnerability disclosure. The publication of a Final version 1.0 advisory with clear CVSS metrics, bug IDs, and specific patch branches demonstrates a mature vulnerability management process. At the time of advisory publication, Cisco PSIRT stated they are not aware of any public announcements or malicious use of CVE-2026-20147.
