Cisco patched a bug in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) products that allows remote attackers with admin-level privileges to access sensitive information - and warned that a public, proof-of-concept exploit for the flaw exists online.

ISE is Cisco's network access control and security policy platform, and companies use it to centrally manage and enforce security policies across users and devices.

The bug, tracked as [1]CVE-2026-20029 , received a medium-severity 4.9 CVSS rating and it affects ISE and ISE-PIC, regardless of device configuration. It's due to improper parsing of XML processed by ISE and ISE-PIC's web-based management interface.

[2]

"An attacker could exploit this vulnerability by uploading a malicious file to the application," according to the Wednesday [3]security advisory . "A successful exploit could allow the attacker to read arbitrary files from the underlying operating system that could include sensitive data that should otherwise be inaccessible even to administrators."

[4]

[5]

Cisco credited Trend Micro Zero Day Initiative's bug hunter Bobby Gould with spotting and reporting this vulnerability.

"This vulnerability does require authentication, so that's the first barrier to exploitation," ZDI's Head of Threat Awareness Dustin Childs told The Register , adding that ZDI doesn't expect to see widespread abuse of this flaw given its high-privilege requirements.

[6]

But, assuming that an attacker [7]stole or otherwise obtained admin credentials , they "could leak the contents of files on an affected system," Childs added.

The good news is that, as of now, Cisco and ZDI say they're not aware of any in-the-wild abuse of this CVE.

But considering the existence of a POC, which provides a blueprint on how to exploit the bug, we're guessing that CVE-2026-20029's exploitation status will soon change - so patch now.

[8]Attackers turned Citrix, Cisco 0-day exploits into custom-malware hellscape

[9]No login? No problem: Cisco ISE flaw gave root access before fix arrived, say researchers

[10]Watch out, another max-severity, make-me-root Cisco bug on the loose

[11]One criminal, 50 hacked organizations, and all because MFA wasn't turned on

It's unclear who published the POC, and Childs told us it wasn't ZDI. "We have not published PoC for this bug and have no plans to do so," he said. "We're not aware where the public PoC was published."

Companies should prioritize implementing this fix as networking devices are long-time favorites among [12]government-backed attackers - and especially [13]those from China - which means companies shouldn't leave these holes open for long.

[14]

In November, [15]Amazon warned that an "advanced" attacker had exploited a max-severity ISE bug ( [16]CVE-2025-20337 ) as a zero-day to deploy custom malware.

In July, researchers warned that miscreants had been [17]exploiting another 10 out of 10 CVSS-rated ISE flaw ( [18]CVE-2025-20281 ), prompting Cisco to acknowledge in-the-wild activity and urge customers to patch.

The networking giant had originally disclosed CVE-2025-20281 in a June security advisory covering multiple [19]max-severity flaws in the same ISE products, and later updated the bulletin as exploitation emerged. ®

Get our [20]Tech Resources



[1] https://nvd.nist.gov/vuln/detail/CVE-2026-20029

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aWA3DRDWmm5mFOdf0fyQ1gAAA4c&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-xxe-jWSbSDKt

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aWA3DRDWmm5mFOdf0fyQ1gAAA4c&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aWA3DRDWmm5mFOdf0fyQ1gAAA4c&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aWA3DRDWmm5mFOdf0fyQ1gAAA4c&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[7] https://www.theregister.com/2026/01/06/50_global_orgs_hacked/

[8] https://www.theregister.com/2025/11/12/amazon_cisco_citrix_0day_exploits/

[9] https://www.theregister.com/2025/07/24/no_login_no_problem_cisco_flaw/

[10] https://www.theregister.com/2025/07/17/critical_cisco_bug/

[11] https://www.theregister.com/2026/01/06/50_global_orgs_hacked/

[12] https://www.theregister.com/2024/04/24/spies_cisco_firewall/

[13] https://www.theregister.com/2025/02/13/salt_typhoon_pwned_7_more/

[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aWA3DRDWmm5mFOdf0fyQ1gAAA4c&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[15] https://www.theregister.com/2025/11/12/amazon_cisco_citrix_0day_exploits/

[16] https://nvd.nist.gov/vuln/detail/CVE-2025-20337

[17] https://www.theregister.com/2025/07/24/no_login_no_problem_cisco_flaw/

[18] https://nvd.nist.gov/vuln/detail/CVE-2025-20281

[19] https://www.theregister.com/2025/06/26/patch_up_cisco_fixes_two/

[20] https://whitepapers.theregister.com/