Cisco disclosed and patched a medium-severity security vulnerability identified as CVE-2026-20029 in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) products. The vulnerability stems from improper parsing of XML data processed by the web-based management interface, specifically within the licensing feature. An attacker possessing valid administrative credentials can exploit this flaw by uploading a maliciously crafted XML file, enabling them to read arbitrary files on the underlying operating system. This unauthorized file access could expose sensitive configuration files or credentials that should remain inaccessible even to administrators, thereby compromising confidentiality and potentially aiding further attacks. The vulnerability affects Cisco ISE and ISE-PIC releases earlier than 3.5, with fixed versions starting from 3.2 Patch 8, 3.3 Patch 8, 3.4 Patch 4, and all 3.5 releases. Cisco has not identified any workarounds, emphasizing the need for patching. The public release of proof-of-concept exploit code increases the risk of exploitation, although no active exploitation has been observed. Concurrently, Cisco patched two other medium-severity vulnerabilities (CVE-2026-20026 and CVE-2026-20027) in the Snort 3 Detection Engine affecting Cisco Secure Firewall Threat Defense, Cisco IOS XE, and Cisco Meraki software, which could lead to denial-of-service or information disclosure via DCE/RPC request processing. These vulnerabilities collectively highlight the importance of timely updates for Cisco network security products to maintain operational integrity and confidentiality.

For European organizations, the vulnerability poses a significant risk to the confidentiality of sensitive network and security configurations managed via Cisco ISE and ISE-PIC. Unauthorized file access could lead to exposure of critical credentials, configuration files, or other sensitive data, potentially enabling lateral movement or privilege escalation within enterprise networks. Given Cisco ISE’s role in network access control and policy enforcement, exploitation could undermine network security posture, disrupt identity services, and increase the attack surface. The requirement for administrative credentials limits the attack vector to insiders or attackers who have already compromised admin accounts, but the availability of a public PoC exploit raises the risk of rapid exploitation once credentials are obtained. The lack of workarounds means organizations must rely on patching to mitigate risk. Additionally, the related Snort 3 vulnerabilities could impact availability and confidentiality of intrusion detection systems, further affecting network defense capabilities. European entities with critical infrastructure, government networks, or large enterprises relying on Cisco ISE and related products are particularly at risk of operational disruption and data breaches if unpatched.

European organizations should immediately identify all Cisco ISE and ISE-PIC instances in their environment and verify software versions. They must apply Cisco’s released patches for versions prior to 3.5 without delay, as no workarounds exist. Network segmentation and strict access controls should be enforced to limit administrative access to the management interfaces of Cisco ISE and ISE-PIC, reducing the risk of credential compromise. Implement multi-factor authentication (MFA) for all administrative accounts to mitigate the risk of credential theft or misuse. Regularly audit administrative account usage and monitor logs for suspicious activity related to file uploads or XML processing. For Snort 3 users on Cisco Secure Firewall, IOS XE, or Meraki platforms, apply the corresponding patches to address denial-of-service and information disclosure vulnerabilities. Additionally, organizations should review and enhance their incident response plans to quickly detect and respond to potential exploitation attempts. Employing network intrusion detection and prevention systems to monitor for anomalous behavior targeting Cisco management interfaces can provide early warning. Finally, maintain up-to-date asset inventories and vulnerability management processes to ensure timely patch deployment.