Cisco has patched a vulnerability in its Identity Services Engine (ISE) network access control solution, with public proof-of-concept exploit code, that can be abused by attackers with admin privileges.

Enterprise admins use Cisco ISE to manage endpoint, user, and device access to network resources while enforcing a zero-trust architecture.

The security flaw (CVE-2026-20029) affects Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) regardless of device configuration, and remote attackers with high privileges can exploit it to access sensitive information on unpatched devices.

"This vulnerability is due to improper parsing of XML that is processed by the web-based management interface of Cisco ISE and Cisco ISE-PIC. An attacker could exploit this vulnerability by uploading a malicious file to the application," Cisco said.

"A successful exploit could allow the attacker to read arbitrary files from the underlying operating system that could include sensitive data that should otherwise be inaccessible even to administrators. To exploit this vulnerability, the attacker must have valid administrative credentials."

While the Cisco Product Security Incident Response Team (PSIRT) found no evidence of active exploitation, it did warn that a proof-of-concept (PoC) exploit is available online.

Cisco considers "any workarounds and mitigations (if applicable) to be temporary solutions" and said that it "strongly recommends that customers upgrade to the fixed software" to "avoid future exposure" and fully address this vulnerability.

On Wednesday, Cisco also addressed multiple IOS XE vulnerabilities that allow unauthenticated, remote attackers to restart the Snort 3 Detection Engine to trigger a denial-of-service or obtain sensitive information in the Snort data stream. However, Cisco PSIRT found no publicly available exploit code and no signs of threat actors exploiting them in the wild.

In November, Amazon's threat intelligence team warned that hackers exploited a maximum-severity Cisco ISE zero-day (CVE-2025-20337) to deploy custom malware. When it patched it in July, Cisco warned that CVE-2025-20337 could be exploited to allow unauthenticated attackers to execute arbitrary code or gain root privileges on vulnerable devices.

Over the next two weeks, Cisco updated its advisory to warn that CVE-2025-20337 was under active exploitation, and researcher Bobby Gould (who reported the flaw) published proof-of-concept exploit code.

Cisco also warned customers in December that a Chinese threat group tracked as UAT-9686 is exploiting a maximum-severity Cisco AsyncOS zero-day (CVE-2025-20393) that's still awaiting a patch in attacks targeting Secure Email and Web Manager (SEWM) and Secure Email Gateway (SEG) appliances.

Until CVE-2025-20393 security updates are released, Cisco advises customers to secure and restrict access to vulnerable appliances by restricting connections to trusted hosts, limiting internet access, and placing them behind firewalls to filter traffic.