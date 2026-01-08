CVE-2026-20029 in Cisco ISE/ISE-PIC allows arbitrary file reads via malicious XML uploads

Exploitation requires valid admin credentials; no workarounds exist—patching is the only fix

PoC exploit available; past ISE flaws show attackers actively target enterprise network access controls

Cisco has patched a medium-severity vulnerability in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC), for which there is a proof-of-concept (PoC) exploit.

In a security advisory published by Cisco, the network giant said the bug was due to improper parsing of XML that is processed by the web-based management interface of the affected tools.

The bug, tracked as CVE-2026-20029 and assigned a severity score of 4.9/10 (medium), allows an unauthenticated, remote attacker with administrative privileges to gain access to sensitive information.

Patches and workarounds

By uploading a malicious file to the application, an attacker could be allowed to read arbitrary files from the underlying operating system, accessing sensitive and private information. To exploit the vulnerability, the threat actor needs to have valid admin credentials.

There are no workarounds for the vulnerability, Cisco warned, and the only way to address the problem is to patch the applications. Different versions have different patches, so make sure to apply the correct one:

Earlier than 3.2 - Migrate to a fixed release

3.2- 3.2 Patch 8

3.3- 3.3 Patch 8

3.4- 3.4 Patch 4

3.5 - Not vulnerable

While the network giant said it saw no evidence of the vulnerability being actively exploited in the wild, it did say that proof-of-concept code is available. In other words - it is only a matter of time before we see an organization lose sensitive files through this bug.

Cisco Identity Services Engine (ISE) is most commonly used in medium to large enterprise environments where organizations need centralized control over who and what can access their networks. As such, it is a popular target among cybercriminals.

In November 2025, it was found that “sophisticated” threat actors were using a 10/10 zero-day in ISE to deploy custom backdoor malware.

In June 2025, Cisco patched three bugs in ISE and Customers Collaboration Platform, including a critical-severity issue with a public proof-of-concept exploit.

