Bypassing the Gatekeeper: Public Exploit Released for Cisco ISE Flaw

Cisco has remediated a vulnerability within its Identity Services Engine (ISE) network access control system, for which a public proof-of-concept exploit has already surfaced. This flaw, which can be weaponized by an adversary possessing administrative credentials, facilitates unauthorized access to sensitive data sequestered on compromised devices.

Cisco ISE and its associated component, the Passive Identity Connector (ISE-PIC), are pivotal in corporate architectures for managing user and device access, particularly within Zero Trust frameworks. The identified issue, designated as CVE-2026-20029, impacts both systems regardless of their specific configuration.

According to Cisco’s technical advisory, the vulnerability stems from the improper processing of XML files within the web-based management interface. By uploading a meticulously crafted file, an attacker can coerce the system into reading arbitrary files from the underlying operating system. Consequently, data that is typically inaccessible—even to administrators—is rendered vulnerable. While the exploit requires valid administrative credentials, the emergence of a functional demonstration in the public domain significantly elevates the threat profile.

Analysts report that there is currently no evidence of this vulnerability being leveraged in active incursions. However, because a public exploit is now accessible, Cisco maintains that temporary mitigations are merely short-term palliatives. Organizations are strongly exhorted to transition to the following patched releases:

• Versions prior to 3.2 must migrate to a supported branch.

• Branch 3.2: Resolved in Patch 8.

• Branch 3.3: Resolved in Patch 8.

• Branch 3.4: Resolved in Patch 4.

• Version 3.5: Deemed inherently immune.

Concurrently, Cisco has addressed several vulnerabilities in IOS XE that permitted unauthenticated remote actors to reset the Snort 3 detection engine, potentially resulting in Denial of Service (DoS) conditions or the exfiltration of network traffic data. In these instances, neither public exploits nor active attacks have been observed.

These developments follow a warning from Amazon analysts in November regarding a critical zero-day in Cisco ISE (CVE-2025-20337), which was utilized by threat actors to deploy bespoke malware. Furthermore, in December, Cisco disclosed ongoing assaults by the Chinese threat collective UAT-9686, which capitalizes on another critical flaw, CVE-2025-20393, in AsyncOS products. As a definitive patch for the latter remains pending, the company advises strictly limiting device access to trusted hosts, reducing internet exposure, and isolating affected systems behind robust firewalls.