(Image credit: Thapana Onphalai via Getty Images)

---

• CVE-2026-20029 in Cisco ISE/ISE-PIC allows arbitrary file reads via malicious XML uploads
• Exploitation requires valid admin credentials; no workarounds exist—patching is the only fix
• PoC exploit available; past ISE flaws show attackers actively target enterprise network access controls

---

Cisco has patched a medium-severity vulnerability in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC), for which there is a proof-of-concept (PoC) exploit.

In a security advisory published by Cisco, the network giant said the bug was due to improper parsing of XML that is processed by the web-based management interface of the affected tools.

The bug, tracked as CVE-2026-20029 and assigned a severity score of 4.9/10 (medium), allows an unauthenticated, remote attacker with administrative privileges to gain access to sensitive information.

Patches and workarounds

By uploading a malicious file to the application, an attacker could be allowed to read arbitrary files from the underlying operating system, accessing sensitive and private information. To exploit the vulnerability, the threat actor needs to have valid admin credentials.

There are no workarounds for the vulnerability, Cisco warned, and the only way to address the problem is to patch the applications. Different versions have different patches, so make sure to apply the correct one:

Earlier than 3.2 - Migrate to a fixed release

3.2- 3.2 Patch 8

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

3.3- 3.3 Patch 8

3.4- 3.4 Patch 4

3.5 - Not vulnerable

While the network giant said it saw no evidence of the vulnerability being actively exploited in the wild, it did say that proof-of-concept code is available. In other words - it is only a matter of time before we see an organization lose sensitive files through this bug.

Cisco Identity Services Engine (ISE) is most commonly used in medium to large enterprise environments where organizations need centralized control over who and what can access their networks. As such, it is a popular target among cybercriminals.

In November 2025, it was found that “sophisticated” threat actors were using a 10/10 zero-day in ISE to deploy custom backdoor malware.

In June 2025, Cisco patched three bugs in ISE and Customers Collaboration Platform, including a critical-severity issue with a public proof-of-concept exploit.

Via BleepingComputer

---

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.