Initiativen für
Als nationale Behörde für Cybersicherheit hat das ZCB mehrere Initiativen für bestimmte Zielgruppen entwickelt, die hier vorgestellt werden.
Warning: Multiple critical vulnerabilities in CISCO ISE that can lead to RCE, Patch Immediately!
Image
Veröffentlicht : 17/04/2026
- Last update: 17/04/2026
- Affected software:
→ Cisco Identity Services Engine (ISE) versions 3.x.x (3.1.0 - 3.4.0, and 3.1.0 p1-p10, 3.2.0 p1-p7, 3.3 Patches 1-7, and 3.4 Patches 1-3)- Type:
→ Command injection (CWE‑77)
→ Remote code execution via command injection (CWE‑77)
→ Path traversal / directory traversal (CWE‑22)- CVE/CVSS
→ CVE-2026-20186: CVSS 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
→ CVE-2026-20147: CVSS 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
→ CVE-2026-20180: CVSS 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
Sources
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-rce-4fverepv
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-rce-traversal-8bYndVrZ
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-rce-4fverepv
Risks
Three newly disclosed vulnerabilities in CISCO ISE (Identity Services Engine) allow attackers to execute arbitrary commands remotely which can lead to service disruption, system takeover, and compromise. The attackers need to have a low privilege role, for example having at least Read Only Admin credentials.
At the time of writing, there is no publicly available proof-of-concept or proof-of-exploitation for any of those vulnerabilities.
Exploiting either of those three vulnerabilities has a high impact in all aspects of the CIA triad (Confidentiality, Integrity, Availability) of the affected system.
Description
CVE-2026-20186: A remote attacker with low privileges and without user interaction can inject commands to escalate privileges to root. If the ISE deployment is single-node, then that can cause Denial-of-Service (DoS).
CVE-2026-20147: A remote attacker with low privileges and without user interaction can send crafted HTTP requests to execute arbitrary commands on the underlying operating system to elevate their privileges to root. If the ISE deployment is single-node, then that can cause Denial-of-Service (DoS).
CVE-2026-20180: A remote attacker with low privileges and no user interaction can send crafted HTTP requests to execute code remotely because of insufficient validation of user-supplied input in HTTP request handling. That way they can raise their privileges to root and compromise the system.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.
References
https://github.com/advisories/GHSA-4w7q-f6rr-2p4r
https://github.com/advisories/GHSA-6m6h-8f8v-r7j4
https://github.com/advisories/GHSA-6fqc-22r3-wrxm