Critical Command Injection Vulnerability in Cisco ISE (CVE-2026-20147)

Severity: High (Score: 71.0)

Sources: github.com, Feedly, exploit-intel.com, www.thehackerwire.com, infosec.exchange

Summary

A command injection vulnerability identified as CVE-2026-20147 has been discovered in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC). This vulnerability allows authenticated remote attackers with valid administrative credentials to execute arbitrary commands on the underlying operating system by sending crafted HTTP requests. Successful exploitation can lead to privilege escalation and denial of service (DoS) in single-node deployments, making the ISE node unavailable for unauthenticated endpoints. The CVSS base score for this vulnerability is 9.9, indicating high severity with significant impacts on confidentiality, integrity, and availability. Currently, there is no public proof-of-concept or patch information available. Security professionals are advised to restrict administrative access and monitor for suspicious activity. The vulnerability was published on April 15, 2026. Key Points: • CVE-2026-20147 is a critical command injection vulnerability in Cisco ISE with a CVSS score of 9.9. • Authenticated attackers can exploit this vulnerability to execute arbitrary commands and escalate privileges. • No patches or public exploits are currently available, necessitating immediate security measures.

Key Entities

• DDoS (attack_type)
• Zero-day Exploit (attack_type)
• Command Injection (attack_type)
• CVE-2026-20147 (cve)
• CVE-2026-30995 (cve)
• T1059 - Command and Scripting Interpreter (mitre_attack)
• T1078 - Valid Accounts (mitre_attack)
• Cisco Identity Services Engine (platform)
• Cisco ISE Passive Identity Connector (platform)
• Cisco Ise-pic (platform)