Cisco ISE Vulnerability Let Remote attacker Access Sensitive Data

Cisco has patched a critical flaw in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that lets authenticated administrators snoop on sensitive server files.

Dubbed CVE-2026-20029, the vulnerability stems from a flaw in XML parsing in the web management interface and is assigned a CVSS score yet to be finalized, but is flagged as high severity due to its potential for data exposure.

An attacker with valid admin credentials can upload a malicious XML file, tricking the system into reading arbitrary files from the underlying OS. This could leak secrets such as configuration data, credentials, or other information that is off-limits even to admins.

“Successful exploitation grants access to files that should remain hidden,” Cisco warned in its advisory, emphasizing that no workarounds exist.

All versions of Cisco ISE and ISE-PIC are vulnerable, regardless of configuration. The Cisco Product Security Incident Response Team (PSIRT) confirmed no other products are impacted. Proof-of-concept (PoC) exploit code is publicly available, but PSIRT reports no malicious attacks to date.

Zero Day Initiative researcher Bobby Gould at Trend Micro deserves credit for the discovery. Organizations relying on ISE for network access control, especially in enterprise or cloud environments, face increased risk if ISE is unpatched.

Patches and Upgrade for ISE Vulnerability

Cisco urges immediate upgrades. Here’s a breakdown of fixed releases:

Upgrade via Cisco’s ISE support page guides. PSIRT validates only listed releases.

ISE powers zero-trust architectures, making this XXE-style bug a nightmare for compliance-heavy sectors like finance and healthcare. Attackers could chain it with privilege escalation for deeper breaches. With PoC available, threat actors may weaponize it soon.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.