Cisco has disclosed a new XML External Entity (XXE) vulnerability in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) that could allow authenticated attackers with administrative access to read sensitive data from the underlying operating system.
The vulnerability is tracked as CVE-2026-20029 and is rated CVSS 4.9 (medium severity), but its impact is significant in environments where ISE serves as a central policy and identity control plane.
According to advisory cisco-sa-ise-xxe-jWSbSDKt, the issue stems from improper parsing of XML within the licensing features exposed through the web-based management interface.
An attacker with valid admin credentials can upload a malicious file that abuses XML parsing to read arbitrary files on the host OS.
Critically, Cisco notes that this may expose data that should not be accessible even to legitimate administrators, elevating the risk beyond typical configuration disclosure.
Because exploitation requires authenticated administrative access, the vulnerability does not enable an external, unauthenticated compromise on its own.
However, in real-world deployments, ISE and ISE-PIC often operate as high-value infrastructure components integrated with identity stores, network access control, and monitoring systems.
If an attacker has already obtained admin credentials for example, via phishing, credential stuffing, or lateral movement this bug gives them a direct path to harvest sensitive files such as configuration data, logs, or other stored secrets that reside on the appliance.
Cisco confirms that all supported Cisco ISE and ISE-PIC releases prior to the fixed builds are affected, regardless of configuration.
Cisco ISE Vulnerability
Fixed releases are available, and Cisco strongly recommends customers upgrade rather than relying on any form of mitigation, as no workarounds exist for this issue.
| Cisco ISE or ISE-PIC Release | First Fixed Release |
|---|---|
| Earlier than 3.2 | Migrate to a fixed release |
| 3.2 | 3.2 Patch 8 |
| 3.3 | 3.3 Patch 8 |
| 3.4 | 3.4 Patch 4 |
| 3.5 | Not vulnerable |
The Cisco Product Security Incident Response Team (PSIRT) reports that proof-of-concept exploit code for CVE-2026-20029 is already publicly available.
While Cisco is not currently aware of active malicious exploitation in the wild, the presence of PoC code substantially lowers the barrier for threat actors and raises the urgency for defenders to respond quickly.
Security teams should assume that reconnaissance and testing against exposed ISE management interfaces may follow soon after disclosure.
There are no published workarounds or configuration-only mitigations to contain this vulnerability. Organizations cannot rely on feature toggles or partial hardening to remove exposure; full remediation requires upgrading to a fixed software release.
In the interim, operators should strictly limit and monitor administrative access to ISE and ISE-PIC, ensure management interfaces are not exposed to untrusted networks, and review authentication, MFA enforcement, and logging around ISE admin accounts.
The vulnerability is associated with Cisco Bug ID CSCwq79739 and is categorized under CWE-611 (Improper Restriction of XML External Entity Reference), highlighting once again how XML parsers, when incorrectly hardened, can become a powerful primitive for data exfiltration on critical infrastructure platforms.
Cisco credits Bobby Gould of Trend Micro’s Zero Day Initiative for reporting the vulnerability.
Given the centrality of ISE in many enterprise access control architectures, organizations are urged to prioritize patching schedules, validate their current ISE versions against Cisco’s fixed release matrix, and plan immediate upgrades to eliminate this new avenue for sensitive data exposure.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.