{"id":15437,"date":"2026-01-09T02:12:45","date_gmt":"2026-01-09T02:12:45","guid":{"rendered":"https:\/\/newestek.com\/?p=15437"},"modified":"2026-01-09T02:12:45","modified_gmt":"2026-01-09T02:12:45","slug":"cisco-identifies-vulnerability-in-ise-network-access-control-devices","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15437","title":{"rendered":"Cisco identifies vulnerability in ISE network access control devices"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>The latest flaw in Cisco Systems Identity Services Engine (ISE), which could expose sensitive information to an attacker, requires rotation of credentials as well as installation of a patch to correct, says an expert.<\/p>\n<p>Cisco ISE is a network access control platform that\u00a0enforces access policy and manages endpoints.<\/p>\n<p>There have been more critical holes in Cisco products, acknowledged Paddy Harrington, a senior analyst at Forrester Research, and this one does need a threat actor with administrative privileges to execute and get read access to sensitive information. \u201cHowever,\u201d he advised senior infosec leaders with Cisco ISE servers, \u201cdon\u2019t let these things hang around.\u201d<\/p>\n<p>Before patching, he said, admins should:<\/p>\n<ul class=\"wp-block-list\">\n<li>rotate ISE credentials for those with existing and approved access;<\/li>\n<li>ensure only those who need access have credentials;<\/li>\n<li>reduce the number of devices that can access the ISE server;<\/li>\n<li>patch as soon as it\u2019s possible to take the server offline.<\/li>\n<\/ul>\n<p><a href=\"https:\/\/sec.cloudapps.cisco.com\/security\/center\/content\/CiscoSecurityAdvisory\/cisco-sa-ise-xxe-jWSbSDKt\" target=\"_blank\" rel=\"noreferrer noopener\">In its notice to customers<\/a>, Cisco says a <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-20029\" target=\"_blank\" rel=\"noreferrer noopener\">vulnerability<\/a> [CVE-2026-20029] in the licensing features of ISE and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated remote attacker with administrative privileges to gain access to sensitive information. It isn\u2019t clear why this is called a licensing feature vulnerability. Cisco didn\u2019t respond by deadline when asked for an explanation.<\/p>\n<p>The advisory, which describes the problem as of medium criticality, with a CVSS score of 4.9, says the vulnerability is due to improper parsing of XML that is processed by the web-based management interface of Cisco ISE and Cisco ISE-PIC.<\/p>\n<p>Johannes Ullrich, dean of research at the SANS Institute, said, \u201cMost likely, this is an XML External Entity vulnerability.\u201d\u00a0External entities, he explained, are an XML feature that instructs the parser to either read local files or access external URLs. In this case, an attacker could embed an external entity in the license file, instructing the XML parser to read a confidential file and include it in the response. This is a common vulnerability in XML parsers, he said, typically mitigated by disabling external entity parsing.<\/p>\n<p>An attacker would be able to obtain read access to confidential files like configuration files, he added, and possibly user credentials. Ullrich also said an ISE administrator may have access to a lot of the information, but they should not have access to user credentials.<\/p>\n<p>The Cisco advisory says an attacker could exploit this vulnerability by uploading a malicious file to the application: \u201cA successful exploit could allow the attacker to read arbitrary files from the underlying operating system that could include sensitive data that should otherwise be inaccessible even to administrators. To exploit this vulnerability, the attacker must have valid administrative credentials.\u201d<\/p>\n<p>Cisco said proof-of-concept exploit code is available for this vulnerability, but so far the company isn\u2019t aware of any malicious use of the hole.\u00a0<\/p>\n<p>These days, admin credentials aren\u2019t hard to get, Harrington noted. The \u201cdirty secret that few people want to talk about is across IT and security operations there are so many systems that are left with default credentials.\u201d That\u2019s particularly common, he said, with devices behind a firewall, such as network access control servers, because admins think because they are inside the network they can\u2019t be touched by external hackers. But lots of credentials can be scooped up in compromises of applications where Cisco admins might have stored passwords.<\/p>\n<p><strong>Related content: <a href=\"https:\/\/community.cisco.com\/t5\/security-knowledge-base\/cisco-ise-related-vulnerability-cve-2025-20281-amp-20282-amp\/ta-p\/5302518\" target=\"_blank\" rel=\"noreferrer noopener\">Cisco warns of three critical ISE vulnerabilities<\/a><\/strong><\/p>\n<p>Coincidentally, today researchers at SCORadar <a href=\"https:\/\/socradar.io\/resources\/whitepapers\/end-of-the-year-intelligence-2025\/\" target=\"_blank\" rel=\"noreferrer noopener\">released an analysis of data thefts in 2025<\/a>. Among other things, it notes that credential theft hit a new high last year. A total of 388 million credentials were stolen from the ten most affected platforms, including Facebook, Google, and Roblox.<\/p>\n<p><em>This article originally appeared on <a href=\"https:\/\/www.networkworld.com\/article\/4114677\/cisco-identifies-vulnerability-in-ise-network-access-control-devices.html\" target=\"_blank\">NetworkWorld<\/a>.<\/em><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>The latest flaw in Cisco Systems Identity Services Engine (ISE), which could expose sensitive information to an attacker, requires rotation of credentials as well as installation of a patch to correct, says an expert. Cisco ISE is a network access control platform that\u00a0enforces access policy and manages endpoints. There have been more critical holes in Cisco products, acknowledged Paddy Harrington, a senior analyst at Forrester&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=15437\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15437","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15437","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15437"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15437\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15437"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15437"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15437"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}