Critical Auth‑Based Command Injection (CVE‑2026‑20181) in Cisco ISE Grants Root Access
What It Is — Cisco’s Identity Services Engine (ISE) and ISE‑PIC contain a critical command‑execution flaw (CVE‑2026‑20181) that lets an attacker with valid admin credentials send crafted HTTP requests to run arbitrary OS commands and elevate to root. A second high‑severity flaw (CVE‑2026‑20190) can expose hashed credentials to unauthenticated users.
Exploitability — Requires authenticated administrative access; no public exploits reported. CVSS 9.1 (critical). Cisco has released patches for affected versions and a hot‑fix for 3.5.
Affected Products — Cisco Identity Services Engine (ISE) 3.3, 3.4, 3.5 and ISE‑PIC.
Why It Matters for Compliance & Audit Readiness —
- SOC 2 CC6.1 (Logical Access) requires documented, least‑privilege admin accounts and continuous monitoring of privileged activity.
- Timely patching and change‑management are evidence required for the Security principle.
- A breach stemming from privileged misuse would invalidate the “Access Control” trust criteria, jeopardizing audit conclusions.
Recommended Actions —
- Verify that all admin accounts enforce MFA and follow least‑privilege principles.
- Apply Cisco’s Patch 11 (3.3) / Patch 6 (3.4) immediately; deploy the hot‑fix for 3.5 and schedule Patch 4.
- Enable detailed command‑execution logging on ISE nodes and ingest logs into a SIEM for continuous SOC 2 control monitoring.
- Review and update your privileged‑access‑management (PAM) policies to reflect the new risk.
Source: SecurityAffairs article