More
- Awards
- Blogs
- BrandPosts
- Events
- Podcasts
- Videos
- Enterprise Buyer’s Guides
- rotate ISE credentials for those with existing and approved access;
- ensure only those who need access have credentials;
- reduce the number of devices that can access the ISE server;
- patch as soon as it’s possible to take the server offline.
news
Holes in Veeam Backup suite allow remote code execution, creation of malicious backup config files
Jan 7, 2026 4 mins
news
Automated data poisoning proposed as a solution for AI theft threat
Jan 7, 2026 6 mins
news
Patch Tuesday 2025 roundup: The biggest Microsoft vulnerabilities of the year
Dec 30, 2025 7 mins
news
Interpol sweep takes down cybercrooks in 19 countries
Dec 23, 2025 7 mins
news
HPE OneView vulnerable to remote code execution attack
Dec 18, 2025 3 mins
news
Microsoft warns MSMQ may fail after update, breaking apps
Dec 17, 2025 5 mins
news
FortiGate firewall credentials being stolen after vulnerabilities discovered
Dec 16, 2025 4 mins
news
Meet ConsentFix, a new twist on the ClickFix phishing attack
Dec 11, 2025 6 mins
A successful attacker could view sensitive information that even admins can’t access.
Credit: Ken Wolter / Shutterstock
The latest flaw in Cisco Systems Identity Services Engine (ISE), which could expose sensitive information to an attacker, requires rotation of credentials as well as installation of a patch to correct, says an expert.
Cisco ISE is a network access control platform thatenforces access policy and manages endpoints.
There have been more critical holes in Cisco products, acknowledged Paddy Harrington, a senior analyst at Forrester Research, and this one does need a threat actor with administrative privileges to execute and get read access to sensitive information. “However,” he advised senior infosec leaders with Cisco ISE servers, “don’t let these things hang around.”
Before patching, he said, admins should:
In its notice to customers, Cisco says a vulnerability [CVE-2026-20029] in the licensing features of ISE and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated remote attacker with administrative privileges to gain access to sensitive information. It isn’t clear why this is called a licensing feature vulnerability. Cisco didn’t respond by deadline when asked for an explanation.
The advisory, which describes the problem as of medium criticality, with a CVSS score of 4.9, says the vulnerability is due to improper parsing of XML that is processed by the web-based management interface of Cisco ISE and Cisco ISE-PIC.
Johannes Ullrich, dean of research at the SANS Institute, said, “Most likely, this is an XML External Entity vulnerability.”External entities, he explained, are an XML feature that instructs the parser to either read local files or access external URLs. In this case, an attacker could embed an external entity in the license file, instructing the XML parser to read a confidential file and include it in the response. This is a common vulnerability in XML parsers, he said, typically mitigated by disabling external entity parsing.
An attacker would be able to obtain read access to confidential files like configuration files, he added, and possibly user credentials. Ullrich also said an ISE administrator may have access to a lot of the information, but they should not have access to user credentials.
The Cisco advisory says an attacker could exploit this vulnerability by uploading a malicious file to the application: “A successful exploit could allow the attacker to read arbitrary files from the underlying operating system that could include sensitive data that should otherwise be inaccessible even to administrators. To exploit this vulnerability, the attacker must have valid administrative credentials.”
Cisco said proof-of-concept exploit code is available for this vulnerability, but so far the company isn’t aware of any malicious use of the hole.
These days, admin credentials aren’t hard to get, Harrington noted. The “dirty secret that few people want to talk about is across IT and security operations there are so many systems that are left with default credentials.” That’s particularly common, he said, with devices behind a firewall, such as network access control servers, because admins think because they are inside the network they can’t be touched by external hackers. But lots of credentials can be scooped up in compromises of applications where Cisco admins might have stored passwords.
Related content: Cisco warns of three critical ISE vulnerabilities
Coincidentally, today researchers at SCORadar released an analysis of data thefts in 2025. Among other things, it notes that credential theft hit a new high last year. A total of 388 million credentials were stolen from the ten most affected platforms, including Facebook, Google, and Roblox.
This article originally appeared on NetworkWorld.
SUBSCRIBE TO OUR NEWSLETTER
From our editors straight to your inbox
Get started by entering your email address below.
Howard Solomon is a Toronto-based freelance reporter who writes on IT and cybersecurity issues.
Howard is a former editor of IT World Canada and Computing Canada. An IT journalist over 30 years, he has also written for ITBusiness.ca and Computer Dealer News. Before that he was a staff reporter at the Calgary Herald and the Brampton (Ontario) Daily Times.
More from this author
‘;
// Add textoverlay inside podigee emded div
jQuery(‘.wp-block-embed-podigee’).each(function(index,element) {
if (element.closest(“.wp-block-embed-podigee”)?.querySelectorAll(‘.external-embed-wrapper’)?.length === 0) {
jQuery(element).prepend(podigeeTextOverlay);
}
});
}
} else {
if(debug)console.log(‘#### Podigee no consent needed’);
enablePodigee();
}
});
🚀 The new CIO.com hybrid search: 🔍 Explore CIO content smarter, faster and AI powered. ✨
🚀 The new NetworkWorld.com hybrid search: 🔍 Explore NetworkWorld content smarter, faster and AI powered. ✨
🚀 The new Computerworld.com hybrid search: 🔍 Explore Computerworld content smarter, faster and AI powered. ✨