Platform
cisco
Component
identity-services-engine
Fixed in
3.1.1
3.1.1
3.1.1
3.1.1
3.2.1
3.1.1
3.1.1
3.2.1
3.1.1
3.2.1
3.1.1
3.3.1
3.2.1
3.2.1
3.1.1
3.2.1
3.2.1
3.1.1
3.3.1
3.3.1
3.3.1
3.4.1
3.2.1
3.3.1
3.4.1
3.1.1
3.3.1
3.3.1
3.4.1
3.3.1
3.4.1
3.5.1
3.2.1
CVE-2026-20180 is a critical Remote Code Execution (RCE) vulnerability discovered in Cisco Identity Services Engine (ISE). Successful exploitation allows an authenticated, remote attacker to execute arbitrary commands on the underlying operating system, potentially leading to complete system compromise. This vulnerability impacts versions 3.1.0 through 3.5.0 of ISE, and Cisco has advised users to upgrade to a patched version as soon as possible.
The impact of CVE-2026-20180 is severe. An attacker with Read Only Admin credentials can leverage this vulnerability to gain user-level access to the ISE device's operating system. From there, privilege escalation techniques could be employed to achieve root or administrator access, granting them full control over the device. This could lead to data breaches, denial of service, and the ability to pivot to other systems on the network. The potential for lateral movement is significant, as a compromised ISE server often manages network access and authentication for numerous devices and users.
CVE-2026-20180 was publicly disclosed on 2026-04-15. The vulnerability requires authentication (Read Only Admin credentials), which lowers the barrier to entry for some attackers. No public proof-of-concept (PoC) code is currently available, but the vulnerability's nature suggests that it is likely to be exploited in the future. The CVSS score of 9.9 (CRITICAL) reflects the high severity of this vulnerability and the potential for widespread exploitation.
Exploit Status
EPSS
0.26% (50% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-20180 is to upgrade to a fixed version of Cisco Identity Services Engine as soon as it becomes available. Until an upgrade is possible, consider implementing temporary workarounds. Restrict access to the ISE management interface to only authorized personnel. Implement strict network segmentation to limit the potential blast radius of a successful attack. Monitor ISE logs for any suspicious activity, particularly HTTP requests containing unusual parameters. Consider using a Web Application Firewall (WAF) to filter potentially malicious traffic.
Update Cisco Identity Services Engine to a corrected version. See the Cisco advisory (https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-rce-4fverepv) for more details on affected versions and available corrected versions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-20180 is a critical Remote Code Execution vulnerability affecting Cisco Identity Services Engine versions 3.1.0–3.5.0, allowing authenticated attackers to execute arbitrary commands.
If you are running Cisco Identity Services Engine versions 3.1.0 through 3.5.0, you are potentially affected by this vulnerability. Check your current version and upgrade as soon as possible.
The recommended fix is to upgrade to a patched version of Cisco Identity Services Engine. Consult Cisco's security advisory for the latest available version and upgrade instructions.
While no public exploits are currently available, the vulnerability's severity and potential impact suggest it is likely to be exploited in the future. Proactive mitigation is crucial.
Refer to the official Cisco Security Advisory for detailed information, affected products, and mitigation steps: [https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-rce-20260415]
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.