Cisco Patches Critical CVSS 9.1 RCE Flaw in Identity Services Engine — Root Escalation With Admin Credentials

Cisco has released patches for CVE-2026-20181 (CVSS 9.1), an improper input-validation flaw in Cisco Identity Services Engine that allows authenticated admins to execute arbitrary OS commands and escalate to root via crafted HTTP requests. A companion information-disclosure bug, CVE-2026-20190, can expose hashed credentials to unauthenticated attackers. Fixes are available in ISE 3.3 Patch 11 and 3.4 Patch 6 with a hotfix for 3.5; Cisco says it has no evidence of active exploitation, but ISE is a core enterprise network access control system deployed across large AI-connected infrastructure.