CVE-2026-20029
📋 TL;DR
An XML External Entity (XXE) vulnerability in Cisco ISE and ISE-PIC allows authenticated administrators to read arbitrary files on the underlying operating system. This occurs due to improper XML parsing in the web-based management interface when malicious files are uploaded. Only systems with Cisco ISE or ISE-PIC with administrative access are affected.
💻 Affected Systems
- Cisco Identity Services Engine (ISE)
- Cisco ISE Passive Identity Connector (ISE-PIC)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Administrator reads sensitive system files, configuration files, or credentials stored on the OS, potentially leading to full system compromise.
Likely Case
Administrator reads configuration files containing passwords, keys, or other sensitive data that should be protected.
If Mitigated
No impact if proper access controls and patching are implemented.
🎯 Exploit Status
Exploitation requires administrative credentials and ability to upload files to the web interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Multiple fixed versions - see Cisco advisory
Vendor Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-xxe-jWSbSDKt
Restart Required: Yes
Instructions:
1. Review Cisco advisory for specific fixed versions. 2. Backup configuration. 3. Apply appropriate patch/upgrade. 4. Restart services. 5. Verify fix.
🔧 Temporary Workarounds
Restrict Administrative Access
allLimit administrative access to only trusted users and networks.
Monitor File Uploads
allImplement monitoring for file uploads to the ISE management interface.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate ISE management interfaces
- Enforce multi-factor authentication for all administrative accounts
🔍 How to Verify
Check if Vulnerable:
Check ISE version via CLI: show version, then compare to vulnerable versions in Cisco advisory.Check Version:
show versionVerify Fix Applied:
Verify version is updated to fixed version listed in Cisco advisory.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to management interface
- Administrative access from unexpected sources
- XML parsing errors in application logs
Network Indicators:
- HTTP POST requests with XML content to management interface
- File uploads to administrative endpoints
SIEM Query:
source="ISE" AND (event_type="file_upload" OR http_method="POST") AND uri CONTAINS "/admin/"