[Date: 2026/05/08]

【Vulnerability Alert】Three Major Security Vulnerabilities in Cisco Identity Services

  • Subject: 【Vulnerability Alert】Three Major Security Vulnerabilities in Cisco Identity Services


  • Description:
    • Forwarded from TWCERT/CC Security Alert: TWCERTCC-200-202604-00000018
    • Cisco Identity Services Engine (ISE) is an identity-based security management platform that collects information from the network and user devices to implement policies and make regulatory decisions across network infrastructure. Cisco recently released a major security vulnerability advisory.
    • 【CVE-2026-20180, CVSS: 9.9 and CVE-2026-20186, CVSS: 9.9】 Both are Remote Code Execution (RCE) vulnerabilities that allow an authenticated remote attacker to execute arbitrary commands on the affected underlying operating system.
    • To successfully exploit these vulnerabilities, the attacker must possess at least read-only administrator privileges.
    • 【CVE-2026-20147, CVSS: 9.9】 This vulnerability allows an authenticated remote attacker to execute arbitrary commands on the affected device's underlying operating system. A successful exploit requires the attacker to possess at least valid administrator credentials.
  • Affected Platforms:
    • Cisco ISE 3.2 and earlier versions
    • Cisco ISE version 3.2
    • Cisco ISE version 3.3
    • Cisco ISE version 3.4
    • Cisco ISE or Cisco ISE-PIC 3.1 and earlier versions
    • Cisco ISE or Cisco ISE-PIC version 3.2
    • Cisco ISE or Cisco ISE-PIC version 3.3
    • Cisco ISE or Cisco ISE-PIC version 3.4
    • Cisco ISE or Cisco ISE-PIC version 3.5
  • Recommended Actions:
    • Please update to the following versions:
    • 【CVE-2026-20180, CVE-2026-20186】 Cisco ISE 3.2 Patch 8, Cisco ISE 3.3 Patch 8, Cisco ISE 3.4 Patch 5
    • 【CVE-2026-20147】 Cisco ISE or Cisco ISE-PIC 3.1 Patch 11, Cisco ISE or Cisco ISE-PIC 3.2 Patch 10, Cisco ISE or Cisco ISE-PIC 3.3 Patch 11, Cisco ISE or Cisco ISE-PIC 3.4 Patch 6, Cisco ISE or Cisco ISE-PIC 3.5 Patch 3
    • Note: Cisco ISE-PIC is End-of-Sale; version 3.4 is the last supported version.
  • Reference:
    1. https://www.twcert.org.tw/tw/cp-169-10849-9d3d6-1.html

Computer and Communication Center
Network Systems Division