CISCO has fixed a critical vulnerability, tracked as CVE-2026-20181, in its Identity Services Engine (ISE), which allows authenticated administrators to execute commands and gain root access due to improper user input validation. The vulnerability has a CVSS score of 9.1. Exploitation can lead to privilege escalation and in single-node deployments, it may cause denial-of-service (DoS) conditions for unauthenticated endpoints.
The flaw was patched in ISE/ISE-PIC version 3.3 Patch 11 and 3.4 Patch 6, with a hotfix available for version 3.5. Additionally, Cisco patched another vulnerability (CVE-2026-20190) related to information disclosure with a CVSS score of 7.5. No active exploitation of these vulnerabilities has been reported.