HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-20181Published Modified CNA cisco

CVE-2026-20181: Cisco Identity Services Engine Remote Code Execution Vulnerability

A vulnerability in Cisco ISE and ISE-PIC could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have valid administrative credentials. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. In single-node deployments, successful exploitation of this vulnerability could cause the affected ISE node to become unavailable, resulting in a denial of service (DoS) condition. In that condition, endpoints that have not already authenticated would be unable to access the network until the node is restored.

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a remote code execution vulnerability in Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC), reachable over the network by any attacker with valid administrative credentials. Exploitation is triggered by sending a crafted HTTP request, which first grants user-level operating system access and then allows privilege escalation to root. A successful attack gives the attacker full control of the underlying OS and, in single-node deployments, can render the ISE node unavailable and block unauthenticated endpoints from accessing the network. No fix has been published yet; HarborGuard is tracking this advisory and will surface a patched-image rebuild the moment Cisco releases one.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from Cisco's advisory feed and upstream vulnerability databases within minutes of publication and matched against all customer images, including custom-built images that bundle ISE software components. Any image running an affected version of Cisco ISE or ISE-PIC will be flagged immediately.

Available
Triage

HarborGuard scores this finding at CVSS 9.1 (Critical) and weights it against each customer environment's compliance policy to determine urgency and routing. Alerts are directed to the appropriate team inbox within each customer organization based on their configured escalation rules.

Available
Patch

Because no fix version has been published by Cisco, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix appears. In the interim, customers can apply compensating controls through HarborGuard's network policy recommendations to limit exposure.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the ISE administrative interface over the network; there is no local-only or physical-access constraint.

  • AuthenticationRequired

    Valid administrative credentials are required; a standard low-privilege account is not sufficient, an admin-level account must be compromised or obtained first.

  • Victim interactionNot required

    No action by any user or administrator on the target device is needed to complete the attack.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no race conditions, special memory layout, or other variable environmental factors beyond holding valid admin credentials.

Blast Radius

  • The attacker gains an initial foothold as an OS-level user and then escalates privileges to root, achieving full control of the underlying operating system.
  • With root access, the attacker can read all data processed by ISE, including authentication records, identity data, and network access policy configurations.
  • The attacker can modify ISE configuration, policy rules, or stored credentials, allowing persistent backdoors or manipulation of who is granted network access.
  • In single-node deployments, the attacker can crash or disable the ISE node, blocking any endpoint that has not yet authenticated from accessing the network until the node is restored.

How HarborGuard Handles This

Available on HarborGuard: because Cisco has not yet released a fix for CVE-2026-20181, no patched-image rebuild is currently available. HarborGuard re-checks the Cisco advisory on every ingest cycle and will automatically trigger a patched-image rebuild and, for customers with auto-remediation enabled, open a regression-tested PR against affected workloads the moment a fix version is published. While awaiting a patch, customers can use HarborGuard's network policy tooling to isolate ISE administrative interfaces from broad network reachability, restricting access to known management subnets and reducing the pool of potential attackers who could present valid admin credentials. Feature-flag gating on any non-essential ISE administrative API surface is also recommended as a compensating control during the exposure window.

See how HarborGuard automates this
Affected packages
  • Cisco / Cisco Identity Services Engine Software
    3.1.0 · 3.1.0 p1 · 3.1.0 p3 · 3.1.0 p2 · 3.2.0 · 3.1.0 p4
  • Cisco / Cisco ISE Passive Identity Connector
    3.2.0 · 3.1.0 · 3.3.0 · 3.4.0 · 3.5.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
References