Executive Summary

Cisco has released patches for a high-severity, zero-day vulnerability, CVE-2026-20029, affecting its Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) products. The vulnerability could allow an authenticated, remote attacker with administrative privileges to read arbitrary files on the affected system. The flaw stems from improper XML parsing within the web management interface. Cisco has released software updates to remediate the vulnerability and recommends customers apply them to prevent potential exposure of sensitive data.

Vulnerability Details

The vulnerability exists in the web-based management interface of Cisco ISE and ISE-PIC. It is caused by the improper parsing of XML data. An attacker who has already obtained administrative credentials for the management interface could exploit this flaw.

The attack vector involves the attacker uploading a specially crafted file to the application. Due to the XML parsing error, this action could be manipulated to allow the attacker to read arbitrary files from the underlying operating system of the ISE appliance. This could include sensitive configuration files, system data, or potentially credentials stored on the device.

Affected Systems

• Product: Cisco Identity Services Engine (ISE)
• Product: Cisco ISE Passive Identity Connector (ISE-PIC)
• Affected Versions: All previous releases of ISE and ISE-PIC are affected. The vulnerability was not present in version 3.5, which was released in September 2025.

Exploitation Status

Cisco has classified this as a zero-day vulnerability, meaning it was discovered and potentially exploited before a patch was available. While Cisco's advisory did not confirm active exploitation in the wild, the prompt release of a patch indicates the risk is significant.

Impact Assessment

While the vulnerability requires the attacker to already be authenticated as an administrator, the impact is still serious. Cisco ISE is a critical network security component that acts as the central policy engine for network access control.

A successful exploit could lead to:

• Information Disclosure: Exposure of sensitive system files, network configurations, and potentially credentials that could be used to pivot to other parts of the network.
• Reconnaissance: An attacker could gather detailed information about the network's architecture and security policies, enabling more sophisticated follow-on attacks.
• Compromise of Network Integrity: Information stolen from ISE could be used to bypass network access controls, undermining the core function of the product.

Detection Methods

• Log Analysis: Monitor Cisco ISE audit and system logs for unusual administrative activity, particularly related to file uploads or configuration changes. Look for logs indicating errors in XML parsing.
• User Behavior Analysis: Alert on anomalous behavior from administrative accounts, such as logins from unusual IP addresses or activity outside of normal working hours.

Remediation Steps

• Apply Patches (D3-SU: Software Update): The primary remediation is to apply the software updates provided by Cisco. Customers should consult the Cisco security advisory for the specific patched versions relevant to their deployment.
• Restrict Administrative Access: As a general best practice, administrative access to critical network appliances like Cisco ISE should be strictly controlled. Access to the management interface should be limited to a dedicated, segmented management network and restricted to authorized personnel only.
• Privileged Account Management: Protect administrative credentials using a Privileged Access Management (PAM) solution and enforce multi-factor authentication for all administrative logins.