Ethical Hacking News
Cisco ISE Bug Patches: A Growing Concern for Organizations
A critical vulnerability has been discovered in Cisco's Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) products, allowing remote attackers to access sensitive information. As of now, there is no reported exploitation, but the existence of a public proof-of-concept exploit raises concerns about its potential impact. Companies must prioritize patching this vulnerability to prevent potential abuse.
Cisco's ISE and ISE-PIC products have been affected by a new bug (CVE-2026-20029) that allows remote attackers with admin-level privileges to access sensitive information.The severity of this vulnerability is rated medium-severity 4.9 CVSS, indicating a high-risk exploit that could allow an attacker to read arbitrary files from the underlying operating system.No in-the-wild abuse of the bug has been detected yet, but it's likely to become more widespread due to a public proof-of-concept exploit.Cisco and Trend Micro have acknowledged the vulnerability and urge customers to patch the issue immediately.
Cisco's Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) products have been hit by a new bug, tracked as CVE-2026-20029, which allows remote attackers with admin-level privileges to access sensitive information. The bug affects both ISE and ISE-PIC, regardless of device configuration, due to improper parsing of XML processed by the two products.
The severity of this vulnerability has been rated medium-severity 4.9 CVSS (Common Vulnerability Scoring System), indicating a high-risk exploit that could allow an attacker to read arbitrary files from the underlying operating system, potentially containing sensitive data. While authentication is required for exploitation, assuming an attacker obtains admin credentials, they can leak the contents of files on an affected system.
Fortunately, as of now, Cisco and Trend Micro Zero Day Initiative's bug hunter Bobby Gould have not detected any in-the-wild abuse of this CVE. However, given the existence of a public proof-of-concept (POC) exploit for the flaw, it is likely that exploitation will soon become more widespread.
In November 2025, Amazon warned of an "advanced" attacker who had exploited another ISE bug (CVE-2025-20337) as a zero-day to deploy custom malware. In July 2025, researchers warned about miscreants exploiting another 10 out of 10 CVSS-rated ISE flaw (CVE-2025-20281), prompting Cisco to acknowledge in-the-wild activity and urge customers to patch.
The bug is attributed to improper parsing of XML processed by the two products' web-based management interface. This vulnerability does require authentication, which presents a barrier to exploitation; however, assuming an attacker has obtained admin credentials, they can exploit the bug.
Cisco credited Trend Micro Zero Day Initiative's bug hunter Bobby Gould with spotting and reporting this vulnerability. ZDI's Head of Threat Awareness Dustin Childs expressed his confidence that widespread abuse of this flaw is unlikely due to its high-privilege requirements. Nevertheless, companies should prioritize implementing this fix as networking devices are often favored targets by government-backed attackers, particularly those from China.
Companies should not leave these holes open for long and ensure they implement the patch immediately.
Related Information:
https://www.ethicalhackingnews.com/articles/Cisco-ISE-Bug-Patches-A-Growing-Concern-for-Organizations-ehn.shtml
Published: Thu Jan 8 13:01:08 2026 by llama3.2 3B Q4_K_M
