Full Report
Cisco has released updates to address a medium-severity security flaw in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) with a public proof-of-concept (PoC) exploit. The vulnerability, tracked as CVE-2026-20029 (CVSS score: 4.9), resides in the licensing feature and could allow an authenticated, remote attacker with administrative privileges to gain access to
Analysis Summary
# Vulnerability: Medium-Severity XML Parsing Flaw in Cisco ISE/ISE-PIC Leading to File Read
## CVE Details
- CVE ID: CVE-2026-20029
- CVSS Score: 4.9 (Medium)
- CWE: Not explicitly mentioned, but related to improper XML parsing, often pointing towards XXE (XML External Entity) or related injection flaws.
## Affected Systems
- Products: Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC)
- Versions:
- Cisco ISE or ISE-PIC Release earlier than 3.2 (Migrate to a fixed release)
- Cisco ISE or ISE-PIC Release 3.2 up to 3.2 Patch 8
- Cisco ISE or ISE-PIC Release 3.3 up to 3.3 Patch 8
- Cisco ISE or ISE-PIC Release 3.4 up to 3.4 Patch 4
- Configurations: Affects the web-based management interface where XML files are processed within the licensing feature.
## Vulnerability Description
The vulnerability stems from improper parsing of XML data processed by the web-based management interface of Cisco ISE and ISE-PIC, specifically within the licensing feature. An authenticated, remote attacker with administrative privileges could exploit this flaw by uploading a malicious file to the application. Successful exploitation allows the attacker to read arbitrary files from the underlying operating system, information that should be restricted even from administrators.
## Exploitation
- Status: PoC available. Not exploited in the wild (as of the advisory date).
- Complexity: Requires an authenticated attacker with administrative privileges.
- Attack Vector: Remote (via the management interface).
## Impact
- Confidentiality: High (Allows reading of sensitive arbitrary files from the OS).
- Integrity: Low (Primary confirmed impact is information disclosure, not modification).
- Availability: Low (No direct impact mentioned, but data disclosure can precede further system compromise).
## Remediation
### Patches
Cisco advises migrating to a fixed release. Specific patched versions mentioned include:
- Cisco ISE or ISE-PIC Release 3.2: Patch 8 or later
- Cisco ISE or ISE-PIC Release 3.3: Patch 8 or later
- Cisco ISE or ISE-PIC Release 3.4: Patch 4 or later
- Cisco ISE or ISE-PIC Release 3.5: Not vulnerable (Implied fix is included or not affected).
### Workarounds
- No workarounds are available to address this flaw, requiring immediate patching.
## Detection
- Detection methods are not specified in the summary, but monitoring for unexpected administrative access, unusual file uploads via the licensing/management interface, or abnormal OS file access originating from the ISE/ISE-PIC process would be recommended indicators.
## References
- Vendor Advisory: hxxps://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-xxe-jWSbSDKt