Cisco ISE XXE Vulnerability Exposes Sensitive Files to Authenticated Attackers After Public PoC Release
Cisco has patched a medium-severity XML External Entity (XXE) vulnerability in Identity Services Engine that allows authenticated administrators to read arbitrary system files—including those normally restricted from admin access. With proof-of-concept exploit code now publicly available, organizations running ISE or ISE-PIC should apply patches immediately despite no confirmed active exploitation.
Frequently Asked Questions
CVE-2026-20029 is an XML External Entity (XXE) vulnerability in Cisco Identity Services Engine that allows an authenticated administrator to read arbitrary system files, including those normally restricted even to administrators.
An attacker with administrator privileges can extract sensitive files such as configurations, certificates, private keys, and authentication data stored on the ISE server, potentially compromising the entire network.
Yes, a functional proof-of-concept has been published, significantly increasing the risk of exploitation by less sophisticated attackers. Immediate patch application is strongly recommended.
ISE and ISE-PIC versions prior to the January 2026 patches are vulnerable. Cisco has released security updates for all supported versions.
Apply Cisco patches immediately, limit ISE administrator access to the strict minimum, monitor logs for abnormal file access, and audit existing administrator accounts.
Comments
Want to join the discussion?
Create an account to unlock exclusive member content, save your favorite articles, and join our community of IT professionals.
New here? Create a free account to get started.