rotate ISE credentials for those with existing and approved access;ensure only those who need access have credentials;reduce the number of devices that can access the ISE server;patch as soon as it’s possible to take the server offline.In its notice to customers, Cisco says a vulnerability [CVE-2026-20029] in the licensing features of ISE and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated remote attacker with administrative privileges to gain access to sensitive information. It isn’t clear why this is called a licensing feature vulnerability. Cisco didn’t respond by deadline when asked for an explanation.The advisory, which describes the problem as of medium criticality, with a CVSS score of 4.9, says the vulnerability is due to improper parsing of XML that is processed by the web-based management interface of Cisco ISE and Cisco ISE-PIC.Johannes Ullrich, dean of research at the SANS Institute, said, “Most likely, this is an XML External Entity vulnerability.” External entities, he explained, are an XML feature that instructs the parser to either read local files or access external URLs. In this case, an attacker could embed an external entity in the license file, instructing the XML parser to read a confidential file and include it in the response. This is a common vulnerability in XML parsers, he said, typically mitigated by disabling external entity parsing.An attacker would be able to obtain read access to confidential files like configuration files, he added, and possibly user credentials. Ullrich also said an ISE administrator may have access to a lot of the information, but they should not have access to user credentials.The Cisco advisory says an attacker could exploit this vulnerability by uploading a malicious file to the application: “A successful exploit could allow the attacker to read arbitrary files from the underlying operating system that could include sensitive data that should otherwise be inaccessible even to administrators. To exploit this vulnerability, the attacker must have valid administrative credentials.”Cisco said proof-of-concept exploit code is available for this vulnerability, but so far the company isn’t aware of any malicious use of the hole. These days, admin credentials aren’t hard to get, Harrington noted. The “dirty secret that few people want to talk about is across IT and security operations there are so many systems that are left with default credentials.” That’s particularly common, he said, with devices behind a firewall, such as network access control servers, because admins think because they are inside the network they can’t be touched by external hackers. But lots of credentials can be scooped up in compromises of applications where Cisco admins might have stored passwords.Related content: Cisco warns of three critical ISE vulnerabilitiesCoincidentally, today researchers at SCORadar released an analysis of data thefts in 2025. Among other things, it notes that credential theft hit a new high last year. A total of 388 million credentials were stolen from the ten most affected platforms, including Facebook, Google, and Roblox.This article originally appeared on NetworkWorld.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4114715/cisco-identifies-vulnerability-in-ise-network-access-control-devices-2.html
