Skip to main content
A Singapore Government Agency Website How to identify
Official website links end with .gov.sg
Government agencies communicate via .gov.sg websites (e.g. go.gov.sg/open). Trusted websites
Secure websites use HTTPS
Look for a lock () or https:// as an added precaution. Share sensitive information only on official, secure websites.

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
Alerts

Multiple Vulnerabilities in Cisco Identity Services Engine

19 June 2026

Attackers can exploit multiple vulnerabilities in Cisco Identity Services Engine to execute arbitrary commands on the underlying operating system and disclose sensitive information. Patch immediately.

Background

Cisco has released security updates to address a command injection vulnerability (CVE-2026-20181) and an information disclosure vulnerability (CVE-2026-20190) affecting Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC). 

The vulnerabilities have Common Vulnerability Scoring System (CVSS v3.1) scores of: CVE-2026-20181 at 9.1 and CVE-2026-20190 at 7.5 out of 10.

Impact

Successful exploitation of these vulnerabilities could lead to the following:

- CVE-2026-20181: Due to insufficient validation of user-supplied input, an authenticated attacker with administrative credentials could send a crafted HTTP request to execute arbitrary commands on the underlying operating system, potentially escalating privileges to root.

- CVE-2026-20190: Due to improper authorisation checks when a resource is accessed, an unauthenticated attacker could send crafted traffic to an affected device to gain access to sensitive information, including hashed credentials that could be used in future attacks.

Affected Products

This vulnerability affects Cisco ISE and Cisco ISE-PIC, regardless of device configuration.

Recommendations

Users and administrators of affected products are advised to update to the latest versions immediately.

  1. Cisco ISE-PIC has reached the end-of-sale date. Release 3.4 is the last supported release.

  1. A hot patch for Cisco ISE is available upon request. Contact the Cisco Technical Assistance Center (TAC).

  1. The fixed release for CVE-2026-20181 on Cisco ISE 3.5 (Patch 4) will not be available until August 2026.

References

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-multi-G5WP8vv

https://nvd.nist.gov/vuln/detail/CVE-2026-20181

https://nvd.nist.gov/vuln/detail/CVE-2026-20190

https://www.securityweek.com/critical-command-execution-vulnerability-patched-in-cisco-ise/

Back to top