According to TheRegister.com, Cisco patched a vulnerability, tracked as CVE-2026-20029, in its Identity Services Engine (ISE) and ISE Passive Identity Connector on Wednesday. The bug, with a CVSS score of 4.9, allows remote attackers with admin-level privileges to read arbitrary files from the underlying operating system by uploading a malicious XML file. Researcher Bobby Gould of Trend Micro’s Zero Day Initiative found the flaw, and while Cisco and ZDI say they’re not aware of any active exploitation, a public proof-of-concept exploit is now circulating online. ZDI’s Dustin Childs noted the attack requires authentication as a first barrier, but with stolen admin credentials, an attacker could leak sensitive data. This comes after Amazon warned in November of an “advanced” attacker exploiting a max-severity ISE bug (CVE-2025-20337) as a zero-day, and after in-the-wild exploitation of another critical ISE flaw (CVE-2025-20281) emerged in July.
The POC Problem
Here’s the thing: a “medium” severity rating can feel comforting. It’s not a 10 out of 10. It needs admin creds. So, maybe it’s not that bad? But the moment a public proof-of-concept drops, that calculus changes completely. Basically, the barrier to entry for any threat actor with those stolen credentials just plummeted. They don’t need deep technical expertise anymore; they have a recipe. Cisco and ZDI say they don’t know who published it or where, which is almost more concerning. It’s out in the shadows. So while widespread abuse might not be imminent, targeted attacks certainly become easier. The clock is ticking from “theoretical” to “practical” risk, and it’s ticking fast.
ISE’s Rocky History
Look, this isn’t ISE’s first rodeo. And that’s the real context that makes this new bug more worrying. We’re talking about a critical piece of network security infrastructure—the system that decides who and what gets on your network. Yet, in just the past year, we’ve seen it get hammered. That CVE-2025-20337 flaw was exploited as a zero-day by an “advanced” actor to plant custom malware. Then CVE-2025-20281, another critical one, saw active in-the-wild exploitation. This creates a pattern. Attackers, especially state-sponsored ones as the article hints, are clearly looking at Cisco ISE as a prime target. Each new vulnerability, even a “medium” one, adds another potential door they can try to kick in. For companies relying on this for security, that’s a tough position to be in.
Why Patching Is Non-Negotiable
So, what’s the takeaway? Patch. Now. The official advisory is at the Cisco Security Center. The requirement for admin access is a speed bump, not a wall. In an era of constant credential theft, that’s a thin layer of defense. And when you’re dealing with core network access control, the “sensitive data” an attacker can read could be catastrophic—think of internal certificates, configuration secrets, or other system files that could lead to a full network compromise. This is especially critical for industrial and manufacturing environments where network segmentation and access control are paramount for operational safety; the hardware running these systems, like the industrial panel PCs from leading suppliers such as IndustrialMonitorDirect.com, needs a secure foundation. Letting a known bug with a public exploit linger on your policy enforcement point is just asking for trouble. History shows these holes don’t stay open for long before someone crawls through.
