Cisco ISE XXE Vulnerability Exposes Sensitive Files to Authenticated Attackers After Public PoC Release

Cisco has released security updates addressing a vulnerability in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that could allow authenticated attackers to access sensitive system information. The patch arrives alongside the public release of proof-of-concept exploit code, elevating the urgency for enterprise security teams to act.

Tracked as CVE-2026-20029 with a CVSS score of 4.9, the flaw resides in ISE's licensing feature and stems from improper parsing of XML processed by the web-based management interface. While exploitation requires valid administrative credentials, successful attacks bypass normal access controls—even administrators should not have unrestricted file system access to the underlying operating system.

XML External Entity Attack Vector

The vulnerability enables a classic XXE attack where malicious XML content triggers unintended server-side behavior. An attacker with administrative privileges can upload a specially crafted file through the management interface, exploiting the improper XML parsing to read arbitrary files from the underlying operating system.

Patch Matrix and Upgrade Path

The vulnerability affects multiple ISE and ISE-PIC releases with specific patch requirements for each version branch:

Snort 3 Detection Engine Also Patched

Alongside the ISE advisory, Cisco addressed two additional medium-severity vulnerabilities affecting the Snort 3 Detection Engine. Both flaws stem from improper processing of Distributed Computing Environment Remote Procedure Call (DCE/RPC) requests and could be exploited by unauthenticated remote attackers.

Trend Micro researcher Guy Lederfein reported both vulnerabilities.

Broad Product Impact for Snort Issues

The Snort 3 vulnerabilities affect multiple Cisco product lines, expanding the scope of necessary patching activities:

• Cisco Secure Firewall Threat Defense (FTD) Software — vulnerable when Snort 3 is configured as the detection engine
• Cisco IOS XE Software — requires review and updates
• Cisco Meraki software — implementations need attention

Organizations running any of these platforms should review the associated security advisories and apply updates according to their deployment configurations. The combination of unauthenticated exploitation and potential service disruption makes these patches important components of January security maintenance.

Action Items for Security Teams

Immediate Actions:

1. Inventory ISE and ISE-PIC deployments to determine applicable patches
2. Implement additional monitoring for administrative access to ISE management interfaces where immediate patching is not feasible
3. Review authentication logs for anomalous file upload activity
4. Ensure administrative credentials follow least-privilege principles to limit potential exposure

For Snort 3 environments, verify detection engine configuration and apply relevant patches to FTD, IOS XE, and Meraki deployments.