Cisco has issued security patches for a medium-severity vulnerability in its Identity Services Engine and ISE Passive Identity Connector following the release of a public proof-of-concept exploit. The flaw could allow an administrator to access sensitive files on the underlying operating system, prompting Cisco to urge users to update to protected versions immediately.

Cisco recently addressed a security vulnerability tracked as CVE-2026-20029 which affects the licensing feature of the Identity Services Engine and the ISE Passive Identity Connector. This medium-severity flaw stems from improper XML parsing within the web-based management interface, allowing an authenticated remote attacker with administrative credentials to upload a malicious file. While the attacker must already have admin privileges, the exploit allows them to bypass intended restrictions and read sensitive files from the underlying operating system that should remain inaccessible.

The discovery of this vulnerability is credited to Bobby Gould from Trend Micro Zero Day Initiative. According to Cisco, the risk is heightened by the fact that proof-of-concept exploit code is already publicly available, though there have been no confirmed reports of the flaw being used in active attacks. Users running versions earlier than 3.2 are advised to migrate to a fixed release, while those on versions 3.2, 3.3, and 3.4 should apply the specific patches recently released to ensure their systems are secure.

Alongside the ISE updates, Cisco also patched two other medium-severity vulnerabilities involving the Snort 3 Detection Engine. Tracked as CVE-2026-20026 and CVE-2026-20027, these issues involve how the engine processes Distributed Computing Environment Remote Procedure Call requests. Unlike the ISE flaw, these could be exploited by an unauthenticated remote attacker to either trigger a denial-of-service state or leak sensitive information, impacting the overall availability and privacy of the network.

These Snort-related vulnerabilities affect a broad range of Cisco hardware and software, including the Secure Firewall Threat Defense, IOS XE, and Meraki software lines. Researcher Guy Lederfein from Trend Micro identified these flaws, which primarily threaten the stability of the detection engine by causing it to restart or disclose data it is meant to protect. Because these issues do not require login credentials to exploit, they represent a significant risk to the perimeter security of affected organizations.

Cisco confirmed that there are no manual workarounds available for any of these vulnerabilities, making the installation of official software updates the only way to mitigate the risk. Given that Cisco infrastructure is a frequent target for sophisticated cyberattacks, security experts recommend that administrators prioritize these patches. Ensuring that all systems are running the latest versions of FTD, IOS XE, and ISE is essential for maintaining a robust defense against emerging threats and public exploits.

Source: Cisco Fixes ISE Security Vulnerability After Public PoC Exploit Release