Introduction
A critical authenticated remote code execution flaw in Cisco Identity Services Engine allows an attacker holding nothing more than Read Only Admin credentials to escalate all the way to root on the underlying operating system. For organizations that rely on ISE as their central network access control and zero trust policy engine, this vulnerability (scored CVSS 9.9) directly threatens the integrity of the component that decides who and what gets onto the network.
Technical Information
CVE-2026-20180 stems from insufficient validation of user supplied input on the Cisco ISE web management interface. The vulnerability maps to two CWE classifications: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, commonly known as Path Traversal) and CWE-77 (Command Injection). Together, these weaknesses allow a crafted HTTP request to both traverse restricted file system paths and inject arbitrary operating system commands.
Prerequisites
The attack requires two conditions:
- Network access to the Cisco ISE management interface (typically HTTPS on the admin portal).
- Valid credentials with at least Read Only Admin privileges.
The Read Only Admin role is the lowest tier of administrative access in ISE. It is commonly provisioned for auditors, helpdesk staff, and monitoring integrations, meaning the pool of accounts that could be leveraged is often larger than organizations realize.
Attack Flow
Based on the advisory details, the exploitation sequence proceeds as follows:
- Authentication: The attacker authenticates to the ISE management web interface using Read Only Admin (or higher) credentials.
- Crafted HTTP Request: The attacker sends a specifically crafted HTTP request to the ISE management endpoint. This request exploits the insufficient input validation to bypass standard application controls.
- User Level Shell Access: The crafted request allows the attacker to interact directly with the underlying operating system, obtaining a user level shell.
- Privilege Escalation to Root: From the initial foothold, the attacker escalates privileges to root, achieving complete control over the ISE appliance.
- Denial of Service (Single Node Deployments): In single node ISE deployments, successful exploitation can cause the affected ISE node to become unavailable. In this condition, endpoints that have not already authenticated are unable to access the network until the node is restored.
Because Cisco ISE is closed source, no public code commits or diffs are available for inspection. The vulnerability was discovered during internal security testing by X.B. of the Cisco Advanced Security Initiatives Group (ASIG). No public proof of concept exploit code or detailed indicators of compromise have been released.
Security teams should monitor web access logs for anomalous HTTP requests directed at ISE management endpoints, particularly from accounts with Read Only Admin privileges.
Patch Information
Cisco has released software updates addressing CVE-2026-20180, published on April 15, 2026, under advisory ID cisco-sa-ise-rce-4fverepv. There are no workarounds available for this vulnerability, making patching the only remediation path.
The patch strengthens input sanitization routines on the affected ISE web interface endpoints to prevent an authenticated attacker from breaking out to the underlying operating system and escalating to root. The fix is tied to two Cisco Bug IDs: CSCwq21242 and CSCwq22993.
The fixed release matrix provided by Cisco is as follows:
| Cisco ISE Release | First Fixed Release |
|---|---|
| Earlier than 3.2 | Migrate to a fixed release. |
| 3.2 | 3.2 Patch 8 |
| 3.3 | 3.3 Patch 8 |
| 3.4 | 3.4 Patch 4 |
| 3.5 | Not vulnerable. |
ISE release 3.5 is not affected, which suggests that the input validation improvements were already incorporated into its codebase before general availability. For customers running ISE versions older than 3.2, Cisco does not provide a direct patch; a migration to a supported, fixed release is required.
Organizations should prioritize patching single node deployments first due to the denial of service risk that could halt network authentication for new endpoints. Additionally, organizations should immediately audit all accounts with Read Only Admin privileges or higher, disabling any that are unnecessary or potentially compromised.
Affected Systems and Versions
The following Cisco ISE releases are affected:
- Cisco ISE versions earlier than 3.2: Vulnerable. No direct patch available; migration to a fixed release is required.
- Cisco ISE 3.2: Vulnerable. Fixed in 3.2 Patch 8.
- Cisco ISE 3.3: Vulnerable. Fixed in 3.3 Patch 8.
- Cisco ISE 3.4: Vulnerable. Fixed in 3.4 Patch 4.
- Cisco ISE 3.5: Not vulnerable.
Cisco ISE Passive Identity Connector (ISE PIC) is confirmed to not be vulnerable and requires no action.
Single node ISE deployments carry additional risk due to the potential for a denial of service condition that blocks new endpoint authentication.
Vendor Security History
Cisco has dealt with recurring critical vulnerabilities in the ISE platform. In 2025, Cisco addressed a series of critical unauthenticated remote code execution vulnerabilities in ISE, specifically CVE-2025-20281 and CVE-2025-20337, which carried a CVSS score of 10.0. These were actively exploited in the wild and subsequently added to the CISA Known Exploited Vulnerabilities (KEV) catalog.
A comparison of the 2025 and 2026 ISE vulnerabilities provides useful context:
| Year | CVE Identifiers | Authentication Required | CVSS Score | Active Exploitation Observed |
|---|---|---|---|---|
| 2026 | CVE-2026-20180 | Yes (Read Only Admin) | 9.9 | No (as of disclosure) |
| 2025 | CVE-2025-20281, CVE-2025-20337 | No | 10.0 | Yes |
The recurring nature of critical remote code execution flaws in this central policy engine underscores the necessity for organizations to maintain aggressive patching schedules for their network access control infrastructure.
