What is CVE-2026-20180?

A vulnerability in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit...

How severe is CVE-2026-20180?

CVE-2026-20180 is rated critical severity with a CVSS score of 9.9 out of 10.

Is there a public proof-of-concept (PoC) for CVE-2026-20180?

Yes. Public exploit material exists via 1 GitHub PoC repository. See the references section for direct links. Treat all linked code as untrusted and use only in authorized, isolated lab environments.

What products are affected by CVE-2026-20180?

CVE-2026-20180 affects multiple products. Check vendor advisories for specific affected versions.

How do I fix CVE-2026-20180?

Apply the latest security patches from the vendor. If patching is not immediately possible, review the mitigation steps in this advisory and monitor for exploitation attempts.

Cisco ISE authenticated command injection to root (CVE-2026-20180) [PoC]

Patch now - CVE-2026-20180 is a critical command injection in Cisco ISE software (3.x) that lets an authenticated attacker execute arbitrary commands on the OS, escalate to root, and trigger a denial-of-service condition on the appliance.

Overview

A critical vulnerability in Cisco Identity Services Engine (ISE) allows authenticated attackers to execute arbitrary commands on the device’s underlying operating system. Tracked as CVE-2026-20180, this flaw has a maximum CVSS score of 9.9. Attackers can leverage this to gain a foothold on the system and escalate privileges to the root user, leading to a complete compromise of the network access control system.

Vulnerability Details

The vulnerability stems from insufficient validation of user-supplied input in the web management interface. An authenticated remote attacker with at least Read-Only Administrator privileges can exploit this by sending a specially crafted HTTP request to a vulnerable ISE node. A successful exploit grants the attacker user-level access to the underlying Linux OS, which can then be used to escalate privileges to root.

Impact and Risk

The primary risk is the complete compromise of the ISE appliance, granting an attacker root-level control. This could be used to steal credentials, manipulate network access policies, deploy malware, or establish persistence. In single-node ISE deployments, successful exploitation can also cause the node to become unavailable, creating a denial-of-service (DoS) condition. This would prevent new endpoints from authenticating to the network until the service is restored.

Affected Products

This vulnerability affects Cisco ISE software. Cisco has confirmed specific affected versions in its security advisory. Administrators must check the official Cisco advisory for the complete list of vulnerable releases.

Remediation and Mitigation

The only complete remediation is to apply the patch provided by Cisco. The vendor has released software updates that address this vulnerability. There are no workarounds that effectively mitigate this flaw. Organizations should prioritize patching all affected ISE nodes immediately. As a best practice, ensure that Read-Only Administrator accounts are only assigned to trusted personnel and that account credentials are managed securely.

Security Insight

This vulnerability highlights the persistent risk of input validation flaws in critical network security appliances, even for authenticated functions. The high privilege requirement for exploitation underscores the importance of strict credential management and the principle of least privilege, as compromised low-privilege accounts can serve as a stepping stone to total system control. For context on how attackers target Cisco infrastructure, see related coverage on Interlock Ransomware Exploits Cisco FMC Zero-Day.

Update - May 2026

Since the initial April 15 publication, Cisco released an updated advisory on April 29 confirming that CVE-2026-20180 affects all ISE releases prior to 3.3 Patch 5. Patches are available for 3.1 (Patch 7), 3.2 (Patch 6), and 3.3 (Patch 5). No mitigation short of patching is confirmed effective. The vulnerability has not been added to CISA KEV as of May 11, though continued monitoring is warranted given the CVSS 9.9 rating and authenticated RCE context. EPSS remains low at 0.0026 (49th percentile), indicating minimal scanning activity in the wild-likely due to the authentication requirement. However, two related CVEs published on May 5-CVE-2026-20213 (information disclosure via SNMP) and CVE-2026-20221 (privilege escalation in ISE web interface)-share the same software family and lower the barrier to full compromise if chained. No public exploit code or active exploitation has been reported. Defenders should prioritize patching ISE deployments immediately, restrict remote access to ISE admin interfaces, and audit authentication logs for unusual command execution patterns. Review policy enforcement node segmentation to limit blast radius in case of compromise. Continue monitoring CISA KEV daily.

Cisco ISE authenticated command injection to root (CVE-2026-20180) [PoC]

Overview

Vulnerability Details

Impact and Risk

Affected Products

Remediation and Mitigation

Security Insight

Update - May 2026

Further Reading

Never miss a critical vulnerability

Public PoC References

Related Advisories

Overview

Vulnerability Details

Impact and Risk

Affected Products

Remediation and Mitigation

Security Insight

Update - May 2026

Further Reading

Never miss a critical vulnerability

Public PoC References

Related Advisories

Never Miss a Critical Alert