{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cisco-ise/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.9,"id":"CVE-2026-20186"},{"cvss":9.9,"id":"CVE-2026-20147"},{"cvss":9.9,"id":"CVE-2026-20180"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cisco-ise","rce","command-injection","path-traversal"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCisco Identity Services Engine (ISE) versions 3.x.x (3.1.0 - 3.4.0, and 3.1.0 p1-p10, 3.2.0 p1-p7, 3.3 Patches 1-7, and 3.4 Patches 1-3) are vulnerable to three newly disclosed vulnerabilities that can lead to remote code execution. These vulnerabilities, CVE-2026-20186, CVE-2026-20147, and CVE-2026-20180, can be exploited by remote attackers with low privileges, such as having Read Only Admin credentials. Successful exploitation can result in service disruption, system takeover, and complete compromise of the ISE instance. The vulnerabilities involve command injection and path traversal due to insufficient validation of user-supplied input in HTTP request handling. There is currently no public proof-of-concept or proof-of-exploitation available.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to CISCO ISE with low-privilege credentials (e.g., Read Only Admin).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request targeting a vulnerable endpoint within the ISE web application.\u003c/li\u003e\n\u003cli\u003eThe crafted request exploits CVE-2026-20186 by injecting commands to escalate privileges to root.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker exploits CVE-2026-20147 by sending a crafted HTTP request to execute arbitrary commands on the underlying operating system.\u003c/li\u003e\n\u003cli\u003eAs another option, the attacker leverages CVE-2026-20180 by exploiting insufficient validation of user-supplied input, leading to remote code execution.\u003c/li\u003e\n\u003cli\u003eThe injected commands or executed code elevates the attacker\u0026rsquo;s privileges to root.\u003c/li\u003e\n\u003cli\u003eThe attacker gains full control over the ISE system, enabling them to modify configurations, access sensitive data, or install malicious software.\u003c/li\u003e\n\u003cli\u003eIn single-node ISE deployments, successful exploitation can lead to a denial-of-service condition, disrupting network authentication and authorization services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities allows attackers to gain complete control over the CISCO ISE system. This can lead to the compromise of sensitive network access policies, credentials, and other confidential information managed by ISE. The impact includes potential disruption of network services due to denial-of-service, unauthorized access to network resources, and the potential for lateral movement to other systems within the network. Given that ISE is a critical component for network access control, a successful attack can have widespread and severe consequences.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch vulnerable CISCO ISE instances to the latest version to remediate CVE-2026-20186, CVE-2026-20147, and CVE-2026-20180 (Cisco Security Advisory).\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and detection capabilities to identify suspicious activity related to these vulnerabilities (CCB Recommendation).\u003c/li\u003e\n\u003cli\u003eInvestigate and remediate any existing compromises by reviewing system logs and configurations for unauthorized changes (CCB Recommendation).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T08:45:05Z","date_published":"2026-04-17T08:45:05Z","id":"/briefs/2026-04-cisco-ise-rce/","summary":"Multiple critical vulnerabilities in CISCO ISE (CVE-2026-20186, CVE-2026-20147, CVE-2026-20180) allow remote attackers with low privileges to execute arbitrary commands, potentially escalating privileges to root and causing denial-of-service.","title":"Multiple Critical Vulnerabilities in CISCO ISE Leading to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-04-cisco-ise-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Cisco-Ise","version":"https://jsonfeed.org/version/1.1"}