Cisco ISE authenticated command injection (CVE-2026-20186)

Patch now - CVE-2026-20186 is a critical command injection in Cisco Identity Services Engine that lets attackers with Read Only Admin credentials execute arbitrary commands and escalate to full root control. Cisco has released fixes; update to ISE 3.3 Patch 2 or later immediately.

Overview

A critical vulnerability in Cisco Identity Services Engine (ISE) allows an attacker with low-level administrative access to execute commands on the device’s underlying operating system and gain full root control. Tracked as CVE-2026-20186 with a CVSS score of 9.9, this flaw stems from insufficient input validation in the web interface.

Vulnerability Details

The vulnerability is an authenticated command injection flaw. An attacker needs only “Read Only Admin” credentials-a low-privilege account-to exploit it. By sending a specially crafted HTTP request to a vulnerable ISE node, the attacker can bypass security controls and execute arbitrary commands. This provides initial access at the operating system’s user level, which can then be escalated to full root privileges.

Impact and Risk

Successful exploitation has severe consequences. An attacker with root access can completely compromise the ISE device, potentially stealing network authentication credentials, manipulating access policies, or deploying persistent malware. In single-node deployments, exploitation can crash the ISE service, causing a denial-of-service (DoS) condition. This would prevent new endpoints from authenticating and accessing the network until the node is restored.

While this vulnerability is not currently confirmed to be exploited in the wild, its high severity and ease of exploitation make it a prime target. Organizations should treat it as an urgent patching priority.

Remediation and Mitigation

Cisco has released software updates that address this vulnerability. Affected users must apply the patches immediately. The fixed versions are:

• Cisco ISE 3.3 and later: Update to 3.3 Patch 2 or later.
• Cisco ISE 3.2 and earlier: Migrate to a fixed release.

If immediate patching is not possible, consider these temporary mitigations:

• Restrict Access: Limit administrative access to the ISE web interface to trusted IP addresses using network control lists (ACLs).
• Principle of Least Privilege: Review and minimize the number of accounts with “Read Only Admin” or higher privileges.
• Monitor Logs: Closely monitor ISE and network logs for unusual HTTP requests or authentication attempts from admin accounts.

For detailed upgrade paths and instructions, consult the official Cisco Security Advisory.

Security Insight

This flaw highlights the persistent risk of command injection in network infrastructure, even from authenticated starting points. It mirrors the escalation path seen in other critical Cisco vulnerabilities, such as the CVE-2026-20131 flaw in Firepower Management Center exploited for ransomware. The requirement for only low-privilege credentials underscores that internal segmentation and strict access controls are as critical as perimeter defense.

Update - May 2026

As of 2026-05-12, Cisco has released software updates addressing CVE-2026-20186 for all affected ISE versions. The advisory (cisco-sa-ise-cmd-inj-2026-20186) was revised on 2026-04-22 to clarify that patched releases ISE 3.4 Patch 7 and ISE 3.5 Patch 2 supersede earlier hotfixes. No additional CVEs in the ISE command injection suite have been published this month.

The EPSS probability of exploitation in the wild remains negligible at 0.0028 (52nd percentile), essentially unchanged from the original 0.00284, indicating no observed shift in attacker targeting. CISA has not added CVE-2026-20186 to the Known Exploited Vulnerabilities catalog; ongoing monitoring is recommended.

No confirmed exploitation or detection signatures have been publicly reported. However, given the high privileges required (authenticated admin) and ease of exploitation (no user interaction, low attack complexity), defenders should prioritize patching over monitoring for this CVE. Immediate action: apply ISE 3.4 Patch 7 or 3.5 Patch 2 on all administrative interfaces. Restrict ISE management access to trusted, segmented networks. Audit logs for anomalous command execution sequences originating from authenticated admin accounts.

Further Reading

• Interlock Ransomware Exploits Cisco FMC Zero-Day
• CISA Warns of Zimbra, SharePoint Exploits; Cisco
• DarkSword iOS Exploit Kit Uses 6 Flaws, 3 Zero-Days for
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs