Ruh-roh, there’s a Cisco ISE bug POC on the loose • The Register

Cisco patched a bug in its Identification Providers Engine (ISE) and ISE Passive Identification Connector (ISE-PIC) merchandise that enables distant attackers with admin-level privileges to entry delicate data – and warned {that a} public, proof-of-concept exploit for the flaw exists on-line.

ISE is Cisco’s community entry management and safety coverage platform, and firms use it to centrally handle and implement safety insurance policies throughout customers and gadgets.

The bug, tracked as CVE-2026-20029, acquired a medium-severity 4.9 CVSS ranking and it impacts ISE and ISE-PIC, no matter system configuration. It is because of improper parsing of XML processed by ISE and ISE-PIC’s web-based administration interface.

“An attacker might exploit this vulnerability by importing a malicious file to the applying,” in accordance with the Wednesday security advisory. “A profitable exploit might enable the attacker to learn arbitrary recordsdata from the underlying working system that might embody delicate knowledge that ought to in any other case be inaccessible even to directors.”

Cisco credited Development Micro Zero Day Initiative’s bug hunter Bobby Gould with recognizing and reporting this vulnerability.

“This vulnerability does require authentication, in order that’s the primary barrier to exploitation,” ZDI’s Head of Risk Consciousness Dustin Childs advised The Register, including that ZDI does not anticipate to see widespread abuse of this flaw given its high-privilege necessities.

However, assuming that an attacker stole or otherwise obtained admin credentials, they “might leak the contents of recordsdata on an affected system,” Childs added.

The excellent news is that, as of now, Cisco and ZDI say they are not conscious of any in-the-wild abuse of this CVE.

However contemplating the existence of a POC, which supplies a blueprint on how you can exploit the bug, we’re guessing that CVE-2026-20029’s exploitation standing will quickly change – so patch now.

It is unclear who revealed the POC, and Childs advised us it wasn’t ZDI. “We’ve not revealed PoC for this bug and haven’t any plans to take action,” he mentioned. “We’re not conscious the place the general public PoC was revealed.”

Firms ought to prioritize implementing this repair as networking gadgets are long-time favorites amongst government-backed attackers – and particularly those from China – which suggests firms should not depart these holes open for lengthy.

In November, Amazon warned that an “superior” attacker had exploited a max-severity ISE bug (CVE-2025-20337) as a zero-day to deploy customized malware. 

In July, researchers warned that miscreants had been exploiting another 10 out of 10 CVSS-rated ISE flaw (CVE-2025-20281), prompting Cisco to acknowledge in-the-wild exercise and urge clients to patch.

The networking big had initially disclosed CVE-2025-20281 in a June safety advisory protecting a number of max-severity flaws in the identical ISE merchandise, and later up to date the bulletin as exploitation emerged. ®