CVE-2026-20136

Medienbericht

EPSS 0.06%
Veröffentlicht 15.04.2026 16:11:29
Zuletzt bearbeitet 17.04.2026 15:09:46
Quelle psirt@cisco.com
CVE-Watchlists
Login
Unerledigt
Login

Cisco Identity Services Engine Authenticated Privilege Escalation Vulnerability

A vulnerability in the CLI of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, local attacker with administrative privileges to perform a command injection attack on the underlying operating system and elevate privileges to root.

This vulnerability is due to insufficient validation of user supplied input. An attacker could exploit this vulnerability by providing crafted input to a specific CLI command. A successful exploit could allow the attacker to elevate their privileges to root on the underlying operating system.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerCisco

≫

Produkt Cisco Identity Services Engine Software

Default Statusunknown

Version 3.1.0

Status affected

Version 3.1.0 p1

Status affected

Version 3.1.0 p3

Status affected

Version 3.1.0 p2

Status affected

Version 3.2.0

Status affected

Version 3.1.0 p4

Status affected

Version 3.1.0 p5

Status affected

Version 3.2.0 p1

Status affected

Version 3.1.0 p6

Status affected

Version 3.2.0 p2

Status affected

Version 3.1.0 p7

Status affected

Version 3.3.0

Status affected

Version 3.2.0 p3

Status affected

Version 3.2.0 p4

Status affected

Version 3.1.0 p8

Status affected

Version 3.2.0 p5

Status affected

Version 3.2.0 p6

Status affected

Version 3.1.0 p9

Status affected

Version 3.3 Patch 2

Status affected

Version 3.3 Patch 1

Status affected

Version 3.3 Patch 3

Status affected

Version 3.4.0

Status affected

Version 3.2.0 p7

Status affected

Version 3.3 Patch 4

Status affected

Version 3.4 Patch 1

Status affected

Version 3.1.0 p10

Status affected

Version 3.3 Patch 5

Status affected

Version 3.3 Patch 6

Status affected

Version 3.4 Patch 2

Status affected

Version 3.3 Patch 7

Status affected

Version 3.4 Patch 3

Status affected

Version 3.5.0

Status affected

Version 3.4 Patch 4

Status affected

Version 3.3 Patch 8

Status affected

Version 3.2 Patch 8

Status affected

Version 3.5 Patch 1

Status affected

Version 3.3 Patch 9

Status affected

Version 3.2 Patch 9

Status affected

Version 3.4 Patch 5

Status affected

Version 3.5 Patch 2

Status affected

Version 3.3 Patch 10

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.06%	0.169

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
psirt@cisco.com	6	0.8	5.2	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CWE-116 Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

https://www.heise.de/news/Cisco-Kritische-Codeschmuggel-Luecken-in-ISE-und-mehr-geschlossen-11259815.html

Media Report

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-cmd-inj-5WSJcYJB

https://nvd.nist.gov/vuln/detail/CVE-2026-20136

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-20136

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-20136

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-20136