Overview
- CVE-2026-20029 affects Cisco Identity Services Engine and the Passive Identity Connector, enabling arbitrary file reads via malicious XML uploaded through the web interface.
- Exploitation requires valid administrative credentials, raising risk chiefly from compromised or misused admin accounts on unpatched systems.
- Cisco reports no evidence of in-the-wild attacks but confirms public exploit code exists and says there are no reliable workarounds.
- Fixed versions are ISE/ISE-PIC 3.2 Patch 8, 3.3 Patch 8, and 3.4 Patch 4, while 3.5 is not affected; earlier releases require migration to a patched build.
- Bobby Gould of Trend Micro’s Zero Day Initiative is credited for reporting the issue, and Cisco concurrently issued fixes for Snort 3 DCE/RPC flaws (CVE-2026-20026, CVE-2026-20027) impacting products including Secure Firewall, IOS XE, and Meraki.