Full Report
No reports of active exploitation … yet Cisco patched a bug in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) products that allows remote attackers with admin-level privileges to access sensitive information - and warned that a public, proof-of-concept exploit for the flaw exists online.…
Analysis Summary
# Vulnerability: Sensitive Information Disclosure in Cisco ISE/ISE-PIC via XML Parsing Flaw
## CVE Details
- CVE ID: CVE-2026-20029
- CVSS Score: 4.9 (Medium)
- CWE: Improper Neutralization of Data within the XML Document Entity (XML External Entity - **Inferred based on description of "improper parsing of XML" leading to file read, likely XXE**)
## Affected Systems
- Products: Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC)
- Versions: All versions (Affected regardless of device configuration)
- Configurations: Affects the web-based management interface.
## Vulnerability Description
The vulnerability stems from improper parsing of XML processed by the web-based management interface of ISE and ISE-PIC. A remote attacker with administrative privileges can exploit this flaw by uploading a malicious file to the application. A successful exploit allows the attacker to read arbitrary files from the underlying operating system, potentially exposing sensitive data that might otherwise be inaccessible even to administrators.
## Exploitation
- Status: PoC available
- Complexity: Medium (Requires prior authentication/admin-level privileges)
- Attack Vector: Network (Requires authenticated network access)
## Impact
- Confidentiality: High (Allows reading of arbitrary system files, including sensitive data)
- Integrity: Low (No direct mention of modification capability)
- Availability: Low (No direct mention of impact)
## Remediation
### Patches
- Cisco has released patches for the vulnerability in ISE and ISE-PIC. Customers should consult the relevant Cisco Security Advisory for specific patched versions.
### Workarounds
- No explicit workarounds were detailed, but given the public PoC and nature of the flaw, immediate patching is strongly recommended over waiting for configuration changes.
## Detection
- **Indicators of compromise:** Look for unusual file upload activity via the management interface, or unexpected file read operations originating from the ISE/ISE-PIC management process targeting system files.
- **Detection methods and tools:** Standard network and endpoint monitoring focusing on ISE management interfaces for suspicious file uploads or unusual activity post-authentication.
## References
- Vendor Advisory: [defanged] sec dot cloudapps dot cisco dot com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-xxe-jWSbSDKt
- CVE Information: [defanged] nvd dot nist dot gov/vuln/detail/CVE-2026-20029