5 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
CVE-2026-20180 is a critical remote code execution vulnerability affecting Cisco Identity Services Engine (ISE). The flaw allows an authenticated attacker to send crafted HTTP requests to execute arbitrary commands on the underlying operating system.
While exploitation requires valid access, successful compromise may allow attackers to gain control of identity infrastructure, manipulate authentication systems, and impact network access controls across the environment.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Remote Code Execution Vulnerability in Cisco Identity Services Engine
Identifier: CVE-2026-20180
CVSS Score: 9.9 (Critical, CVSS v3.1)
PoC or Exploitation:
There are no confirmed reports of active exploitation in the wild and no validated public proof-of-concept exploit code.
Update/ Patch:
Cisco has released fixed software for this vulnerability in Cisco Identity Services Engine.
Fixed versions include:
- 3.2 Patch 8
- 3.3 Patch 8
- 3.4 Patch 4
Cisco advisory and patch guidance:
Description:
CVE-2026-20180 affects Cisco Identity Services Engine. This vulnerability allows an authenticated remote attacker to execute arbitrary commands on the underlying operating system through crafted HTTP requests.
Mitigation Recommendation:
Immediately upgrade Cisco Identity Services Engine to the fixed versions provided by Cisco.
Restrict access to Cisco ISE administrative and web interfaces to trusted management networks only.
Review administrative access controls and ensure only required accounts have access to the platform.
Monitor Cisco ISE and supporting web logs for suspicious crafted HTTP requests, unexpected administrative activity, or signs of command execution.
