Cisco released updates on Jan 8, 2026 to fix a medium severity XML parsing flaw in Identity Services Engine tracked as CVE-2026-20029 with a CVSS score of 4.9 and a public proof of concept exploit, the security advisory said.
KEY FACTS
- Vulnerability CVE-2026-20029, CVSS 4.9
- Affected Cisco ISE and ISE-PIC releases earlier than 3.5 with specific patch levels listed
- Impact Authenticated administrator could read arbitrary files from the host
- Exploit Public proof of concept code is available
The flaw stems from improper parsing of XML handled by the web based management interface in the licensing feature. A malicious file uploaded via the interface can allow an authenticated administrative user to access files on the underlying operating system that should be restricted.
Affected releases include versions earlier than 3.2 which must be migrated to a fixed release, 3.2 patched at 3.2 Patch 8, 3.3 patched at 3.3 Patch 8, 3.4 patched at 3.4 Patch 4, and 3.5 which is not vulnerable. There are no workarounds and administrators are reported to be facing a public proof of concept.
In parallel a separate security advisory on Snort 3 DCE/RPC announced fixes for two medium severity DCE/RPC processing bugs. The issues are CVE-2026-20026 with a CVSS score of 5.8 and CVE-2026-20027 with a CVSS score of 5.3 and could lead to denial of service or information disclosure via unauthenticated remote requests.
Affected products for the Snort 3 issues include Secure Firewall Threat Defense when Snort 3 is configured, IOS XE software, and Meraki software. There are no indications of exploitation in the wild for these issues.
Finders: Bobby Gould and Guy Lederfein of Trend Micro Zero Day Initiative
WHY IT MATTERS
The ISE flaw allows an authenticated administrator to access sensitive files that should be out of reach, increasing risk for compromised credentials. The Snort 3 bugs can affect detection engine stability and lead to data leakage or outages, so timely updates are important.