DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-20029: License to Leak: Cracking Cisco ISE with XXE

#security #cve #cybersecurity

License to Leak: Cracking Cisco ISE with XXE

Vulnerability ID: CVE-2026-20029
CVSS Score: 4.9
Published: 2026-01-07

A classic XML External Entity (XXE) vulnerability in the licensing component of Cisco Identity Services Engine (ISE) allows authenticated administrators to read arbitrary files from the underlying OS.

TL;DR

Cisco ISE's licensing module blindly trusts XML input. If you have admin access (or can trick someone who does), you can upload a crafted license file that forces the server to read local system files (like /etc/shadow) and report them back to you. It's a high-privilege flaw, but a deadly one for post-exploitation lateral movement.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-611 (XXE)
  • CVSS v3.1: 4.9 (Medium)
  • Attack Vector: Network (Admin Upload)
  • Privileges: High (Admin Required)
  • Impact: Information Disclosure (Arbitrary File Read)
  • EPSS Score: 0.04%
  • Exploit Status: PoC Possible (Trivial)

Affected Systems

  • Cisco Identity Services Engine (ISE) 3.1
  • Cisco Identity Services Engine (ISE) 3.2
  • Cisco Identity Services Engine (ISE) 3.3
  • Cisco Identity Services Engine (ISE) 3.4
  • Cisco ISE Passive Identity Connector (ISE-PIC)
  • Cisco ISE: 3.1.0 (Patches 1-10) (Fixed in: Patch 11)
  • Cisco ISE: 3.2.0 (Patches 1-7) (Fixed in: Patch 8)
  • Cisco ISE: 3.3.0 (Patches 1-7) (Fixed in: Patch 8)
  • Cisco ISE: 3.4.0 (Patches 1-3) (Fixed in: Patch 4)

Exploit Details

  • N/A: No public exploit code available yet, but XXE payloads are standard and trivial to construct.

Mitigation Strategies

  • Disable DTD processing in all XML parsers.
  • Disable External Entity resolution (creation of a specific secure processing feature).
  • Input validation on uploaded file headers.

Remediation Steps:

  1. Identify the current running version of Cisco ISE.
  2. Download the appropriate patch from the Cisco Software Center (e.g., ISE 3.1 Patch 10+).
  3. Backup the current configuration via the ADE-OS command line.
  4. Install the patch and reboot the appliance.
  5. Verify the version number in the bottom right corner of the GUI.

References

Read the full report for CVE-2026-20029 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)