CVE-2026-20190 – Cisco Identity Services Engine Software
“Identity platforms become high-value targets when attackers can reach the operating system or expose sensitive authentication data.”
Cisco patched two vulnerabilities affecting Cisco Identity Services Engine (ISE) and ISE-PIC. CVE-2026-20181 has a CVSS score of 9.1, which is Critical severity. CVE-2026-20190 has a CVSS score of 7.5, which is High severity.
CVE-2026-20181 is an input validation vulnerability that allows an authenticated administrator to execute arbitrary commands on the underlying operating system through crafted HTTP requests. Successful exploitation can provide user-level OS access and subsequent privilege escalation to root. In single-node deployments, exploitation could also cause a denial-of-service condition that prevents new endpoints from authenticating to the network. CVE-2026-20190 is an authorization weakness that allows an unauthenticated remote attacker to access sensitive information, including hashed credentials that could be leveraged in future attacks.
No verified exploitation, zero-day activity, or public proof-of-concept activity has been confirmed.
Key Details
- Affected Product
- Cisco Identity Services Engine
- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- CWE Classification
- CWE-285