Cisco Identity Services Engine (ISE) is an identity-based security management platform that can collect information from networks and user devices, and enforce policies and make control decisions within the network infrastructure. Cisco recently issued a critical security vulnerability advisory.

【CVE-2026-20180, CVSS: 9.9 and CVE-2026-20186, CVSS: 9.9】 Both are remote code execution vulnerabilities that allow an authenticated remote attacker to execute arbitrary commands on the affected underlying operating system. Successful exploitation of these vulnerabilities requires that the attacker have at least read-only administrator privileges.

【CVE-2026-20147, CVSS: 9.9】 This vulnerability allows an authenticated remote attacker to execute arbitrary commands on the underlying operating system of an affected device. Successful exploitation of this vulnerability requires that the attacker possess valid administrator credentials.

Cisco ISE versions up to and including 3.2
Cisco ISE version 3.2
Cisco ISE version 3.3
Cisco ISE version 3.4
Cisco ISE or Cisco ISE-PIC versions up to and including 3.1
Cisco ISE or Cisco ISE-PIC version 3.2
Cisco ISE or Cisco ISE-PIC version 3.3
Cisco ISE or Cisco ISE-PIC version 3.4
Cisco ISE or Cisco ISE-PIC version 3.5

【CVE-2026-20180, CVE-2026-20186】 Cisco ISE 3.2 Patch 8, Cisco ISE 3.3 Patch 8, Cisco ISE 3.4 Patch 5

【CVE-2026-20147】 Cisco ISE or Cisco ISE-PIC 3.1 Patch 11, Cisco ISE or Cisco ISE-PIC 3.2 Patch 10, Cisco ISE or Cisco ISE-PIC 3.3 Patch 11, Cisco ISE or Cisco ISE-PIC 3.4 Patch 6, Cisco ISE or Cisco ISE-PIC 3.5 Patch 3

Note: Cisco ISE-PIC has reached end of sale, and version 3.4 is the last supported version.