CVE-2026-20147: Cisco ISE Critical RCE — What It Is & How to Fix It

Executive Summary

CVE-2026-20147 is a CVSS 9.9-rated critical remote code execution vulnerability in Cisco Identity Services Engine (ISE), the enterprise network access control (NAC) platform trusted by thousands of organizations to enforce authentication, authorization, and policy across corporate networks. An authenticated attacker — including one with only read-only administrator credentials — can send a specially crafted HTTP request to inject and execute arbitrary OS commands that immediately run as root, gaining full control of the appliance. Cisco released patches in April 2026; organizations running ISE 3.1 through 3.5 must apply them immediately, as there are no viable workarounds.

---

1. What Is This Vulnerability?

Technical Breakdown

CVE-2026-20147 is a command injection vulnerability rooted in insufficient validation of user-supplied input within the HTTP request handling layer of Cisco ISE and ISE Passive Identity Connector (ISE-PIC). When the application processes certain HTTP request parameters, it fails to sanitize shell metacharacters or escape command sequences before passing them to underlying OS calls.

This is classified under CWE-78: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection).

The flaw is compounded by the fact that the injected commands execute with root privileges from the initial request — there is no separate privilege escalation step required. An attacker does not need to chain an additional exploit; the RCE delivers full OS-level root access in a single crafted request.

Two sibling vulnerabilities were disclosed alongside CVE-2026-20147:

CVE	CVSS	Credential Requirement	Attack Type
CVE-2026-20147	9.9	Administrative credentials	OS command injection via HTTP
CVE-2026-20180	9.9	Read-only admin credentials	Command injection + privilege escalation
CVE-2026-20186	9.9	Read-only admin credentials	Command injection + privilege escalation

Attack Vector

The attack flow is as follows:

1. Attacker obtains valid Cisco ISE administrative credentials — even read-only admin level credentials are sufficient for CVE-2026-20180/20186.
2. Attacker authenticates to the ISE web management interface.
3. Attacker sends a crafted HTTP request with shell metacharacters embedded in a vulnerable parameter (e.g., a field passed to a system call).
4. The ISE application server processes the parameter without sanitization and executes the injected commands as root.
5. Attacker achieves full root shell on the ISE appliance.

A simplified conceptual payload demonstrating the injection class:

# Vulnerable parameter (unsanitized):
POST /ise/admin/api/v1/some-endpoint HTTP/1.1
Host: ise.corp.example.com
Authorization: Bearer <valid_token>
Content-Type: application/json

{
  "parameter": "value; id; whoami; cat /etc/shadow"
}

# Expected application behavior: treat entire string as data
# Actual behavior: OS executes injected commands as root

Real-World Impact

Cisco confirmed awareness of the vulnerability in April 2026 and stated no known active exploitation at the time of disclosure. However, given that:

• ISE controls network access control (NAC) for enterprise networks
• Compromise of ISE gives an attacker the ability to modify authentication and authorization policies
• Root access enables lateral movement, data exfiltration, and persistent backdoors

The risk window before patching is significant. Security researchers have noted that read-only admin credentials are often shared broadly for monitoring purposes, dramatically lowering the effective barrier to exploitation in real environments.

---

2. Who Is Affected?

Cisco ISE and ISE-PIC versions affected by CVE-2026-20147:

ISE Version	Affected	Fixed Version
3.1	Yes (all patches before P11)	3.1.0 Patch 11 or later
3.2	Yes (all patches before P10)	3.2.0 Patch 10 or later
3.3	Yes (all patches before P10)	3.3 Patch 10 or later
3.4	Yes (all patches before P6)	3.4 Patch 6 or later
3.5	Yes (all patches before P3)	3.5 Patch 3 or later

CVE-2026-20180 and CVE-2026-20186 affect ISE 3.4 and earlier; ISE 3.5 is not impacted by those two CVEs.

Who is most exposed:

• Enterprises running ISE as a central NAC/RADIUS/802.1X policy engine
• Organizations using ISE-PIC for Active Directory identity mapping
• Environments where ISE admin credentials have been shared broadly (e.g., read-only access granted to monitoring teams)
• Single-node ISE deployments face additional DoS risk: successful exploitation can take the node fully offline, blocking all endpoint authentication

Not affected: Organizations not running Cisco ISE or ISE-PIC at all, and those already running patched versions.

---

3. How to Detect It (Testing)

Manual Testing Steps

Step 1: Identify your ISE version

Log into the ISE admin GUI, navigate to Administration > System > Deployment, and check the version and patch level displayed for each node. Alternatively via CLI:

show version
show application status ise

Step 2: Cross-reference against the affected versions table

If your version/patch level is below the fixed version thresholds listed above, your instance is vulnerable.

Step 3: Check for indicators of compromise (IoC)

Review ISE system logs and OS-level logs for anomalous command execution patterns:

# On ISE CLI (admin shell):
show logging application ise-psc.log | include "cmd"
show logging application ise-psc.log | include "exec"

# Check for unexpected root-level processes or cron jobs:
cat /etc/crontab
ls -la /etc/cron.d/
ps aux | grep -v ise | grep root

Step 4: Review web access logs for anomalous HTTP requests

Look for requests to the ISE management API endpoints containing special characters (; | & $( )) in parameter values, particularly from authenticated sessions.

Automated Scanning

Tool: Tenable Nessus / Tenable.io

Tenable released Plugin ID 306557 specifically for these Cisco ISE vulnerabilities. Run authenticated Cisco network device scans against ISE appliances:

• Plugin: Cisco Identity Services Engine Multiple Vulnerabilities (cisco-sa-ise-rce-...)
• Policy: Cisco IOS/NX-OS authenticated scan
• Expected output: Plugin fires and reports CVE-2026-20147/20180/20186 if ISE is below the patched version threshold

Tool: Cisco Software Checker

Cisco's official Software Checker tool at https://software.cisco.com/security/center/softwarechecker can confirm whether your ISE release is affected.

• Input: Your ISE version string (e.g., 3.3.0.458)
• Expected output: Lists applicable advisories and whether your version is patched

Tool: Rapid7 InsightVM / Nexpose

Search the vulnerability database for CVE-2026-20147 and run an authenticated scan against ISE management IPs.

Code Review Checklist

If you are a Cisco partner or operate custom ISE extensions/APIs, review any code or integrations that interact with ISE's REST API:

• Confirm all user-supplied inputs are validated and sanitized before use
• Verify ISE API tokens/credentials used in integrations are scoped to minimum required privilege (prefer read-only where possible)
• Confirm ISE management interface is not exposed to untrusted network segments
• Verify no ISE admin credentials are stored in plaintext in scripts, config files, or repositories
• Confirm MFA is enforced for all ISE administrative logins

---

4. How to Fix It (Mitigation)

Step-by-Step Remediation

1. Download the appropriate patch from Cisco's Software Center

Navigate to software.cisco.com and download the correct fixed release for your ISE version:

Your ISE Version	Target Patch
3.1.x	3.1.0 Patch 11
3.2.x	3.2.0 Patch 10
3.3.x	3.3 Patch 10
3.4.x	3.4 Patch 6
3.5.x	3.5 Patch 3

2. Back up ISE configuration before patching

# On ISE CLI:
backup ise-config-backup repository <repo-name> encryption-key plain <key>

Verify the backup completes successfully before proceeding.

3. Apply the patch (primary/standalone nodes first)

Via the ISE Admin GUI:

• Navigate to Administration > System > Maintenance > Patch Management
• Click Install and upload the downloaded patch file
• Monitor the patch installation progress — ISE will restart services automatically

Via CLI (if GUI is unavailable):

patch install <patch-filename.tar.gz> <repository-name>

4. For distributed deployments — patch in sequence

• Patch secondary PSNs (Policy Service Nodes) first
• Then secondary PAN (Policy Administration Node)
• Then primary PAN last (this causes a brief admin UI outage)
• ISE will automatically restart required services on each node after patching

5. Verify patch installation

show version
# Confirm patch level matches the fixed version (e.g., 3.3.0 Patch 10)

show application status ise
# Confirm all ISE services return to Running state

Configuration Hardening (Apply Regardless of Patch Status)

These compensating controls reduce exposure while patching is in progress:

Restrict ISE admin GUI network access:

# Via ISE Admin GUI:
# Administration > System > Admin Access > Access > IP Access > Administrative Bypass Network
# Allowlist only trusted management subnets (e.g., 10.0.1.0/24)
# Block all other access to TCP 443 (admin GUI) at the firewall/ACL layer

Enforce MFA on all ISE admin accounts:

• Navigate to Administration > System > Admin Access > Authentication > Authentication Method
• Configure RSA SecurID, Duo, or RADIUS-based MFA for admin console logins

Audit and rotate all ISE admin credentials immediately:

• Disable or delete unused admin accounts
• Reset passwords for all active admin accounts
• Revoke and reissue any ISE API tokens/keys in use

Minimize admin account privilege levels:

• Grant read-only admin roles only where full admin access is not required
• Avoid sharing admin credentials across teams

---

5. How to Test the Fix (Validation)

Regression Test Scenarios

Scenario A: Confirm patched version is active

On each ISE node, run:

show version

Verify the patch level in the output matches or exceeds the fixed version for your release train.

Scenario B: Confirm admin console is accessible only from authorized hosts

From an authorized management host: confirm the ISE admin GUI loads normally at https://ise.corp.example.com.

From an unauthorized host/VLAN: confirm connection is refused or timed out (firewall/ACL validation).

Scenario C: Confirm ISE policy enforcement is functioning normally

Test a sample endpoint authentication (802.1X, MAB, or VPN) and verify:

• Endpoint receives correct authorization result (permit/deny/VLAN)
• RADIUS accounting logs appear correctly in ISE Live Logs
• No authentication failures introduced by the patch

Security Test Cases

Test Case 1: Verify the vulnerability no longer exists

• Precondition: Patch applied to ISE node
• Steps: Using an authenticated admin session, send HTTP requests to the ISE management API with shell metacharacters in parameter values (work with your security team and a controlled test account)
• Expected Result: The application returns a 400 Bad Request or similar error; no command execution occurs; ISE logs the anomalous request

Test Case 2: Confirm read-only admin cannot escalate

• Precondition: Patch applied; read-only admin test account created
• Steps: Authenticate as read-only admin; attempt to access admin-level API endpoints or perform privileged operations
• Expected Result: 403 Forbidden; no escalation occurs

Test Case 3: Confirm no DoS condition

• Precondition: Patch applied on single-node ISE (if applicable)
• Steps: Perform a simulated high-load authentication test
• Expected Result: ISE remains online and responsive; no service disruption

Automated Tests

A Python snippet for version compliance verification (run from your network management tooling):

import paramiko

ISE_NODES = [
    {"host": "ise01.corp.example.com", "user": "admin", "password": ""},
    {"host": "ise02.corp.example.com", "user": "admin", "password": ""},
]

VULNERABLE_VERSIONS = {
    "3.1": 10,   # Patch 10 and below are vulnerable
    "3.2": 9,
    "3.3": 9,
    "3.4": 5,
    "3.5": 2,
}

def check_ise_patch(host, user, password):
    client = paramiko.SSHClient()
    client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
    client.connect(host, username=user, password=password)
    stdin, stdout, stderr = client.exec_command("show version | include Patch")
    version_line = stdout.read().decode()
    client.close()
    return version_line.strip()

for node in ISE_NODES:
    version_info = check_ise_patch(node["host"], node["user"], node["password"])
    print(f"{node['host']}: {version_info}")
    # Parse and compare patch level against VULNERABLE_VERSIONS

---

6. Prevention & Hardening

Best Practices

Principle of Least Privilege for ISE Admins: Grant ISE admin roles at the minimum level required for each team's function. Use ISE's built-in RBAC to create custom admin roles rather than assigning full admin rights broadly. Never share admin credentials across users.

Network Segmentation — Isolate the ISE Management Plane: The ISE admin GUI (TCP 443) should never be reachable from general corporate networks, guest networks, or the internet. Place ISE management interfaces in a dedicated out-of-band management VLAN, reachable only from jump hosts or privileged access workstations (PAWs) via firewall ACL enforcement.

Enforce MFA for All Administrative Access: Implement multi-factor authentication for all ISE admin logins. ISE supports integration with RADIUS-based MFA providers (Duo, RSA SecurID). This raises the bar significantly even if credentials are compromised.

Establish a Patch Cadence: Subscribe to Cisco Security Advisories for ISE and review new advisories monthly. Treat Critical (CVSS 9.0+) patches as requiring remediation within 72 hours; High (CVSS 7.0–8.9) within two weeks.

Credential Hygiene — Rotate Regularly: ISE admin passwords and API tokens should be rotated at least quarterly, and immediately upon any personnel changes or suspected compromise. Store credentials in a PAM solution (e.g., CyberArk, HashiCorp Vault), not in scripts or documentation.

Monitoring & Detection

Enable ISE Operational Audit Logging:

• Navigate to Administration > System > Logging > Logging Categories
• Ensure Administrative and Operational Audit logs are enabled and forwarded to your SIEM

SIEM Detection Rule — Anomalous ISE Admin Activity:

# Splunk / QRadar example detection logic
index=cisco_ise sourcetype=ise:syslog
| where category="CISE_Administrative_and_Operational_Audit"
| where (message contains ";" OR message contains "|" OR message contains "$(" OR message contains "&&")
| stats count by src_ip, admin_user, message
| where count > 0
| alert "Potential ISE Command Injection Attempt"

Monitor for Unexpected OS-Level Activity on ISE Appliances:

If your ISE appliances have host-based monitoring (e.g., via Cisco Secure Endpoint/AMP for Endpoints), create alerts for:

• New cron job creation
• Unexpected outbound network connections from the ISE appliance
• New user accounts or SSH authorized_keys modifications
• Unexpected processes running as root outside of known ISE service accounts

Network-Level IDS/IPS Signatures:

Ensure your perimeter IDS/IPS has up-to-date Cisco Snort/Talos rule sets. Cisco Talos released detection content for this advisory class; confirm your rule update subscription is current.

---

References

• Cisco Security Advisory (RCE & Path Traversal): cisco-sa-ise-rce-traversal-8bYndVrZ
• Cisco Security Advisory (RCE): cisco-sa-ise-rce-4fverepv
• Tenable Plugin: Cisco Identity Services Engine Multiple Vulnerabilities – Plugin 306557
• CVE-2026-20147 Technical Detail (CVEReports): cvereports.com/reports/CVE-2026-20147
• Sherlock Forensics Analysis: cve-2026-20147-cisco-ise-root-rce
• The Hacker News Coverage: cisco-patches-four-critical-identity
• Cyber Express Coverage: cisco-ise-vulnerabilities-enable-rce
• CSA Singapore Advisory: al-2026-040
• Patch Download: Cisco Software Center
• Cisco Software Checker: security.cisco.com/security/center/softwarechecker